This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/
-
docs/
-
ReleaseNotes.rst
-
include/clang/
-
clang/
-
AST/
4/4
Decl.h
-
DeclBase.h
4/4
Randstruct.h
-
Basic/
3/3
Attr.td
1/2
AttrDocs.td
-
DiagnosticDriverKinds.td
1/1
DiagnosticSemaKinds.td
-
LangOptions.h
-
Driver/
1/1
Options.td
-
lib/
-
AST/
-
CMakeLists.txt
-
Decl.cpp
7/12
Randstruct.cpp
-
Driver/ToolChains/
-
ToolChains/
2
Clang.cpp
-
Frontend/
1/5
CompilerInvocation.cpp
-
Sema/
-
SemaCast.cpp
3/5
SemaDecl.cpp
2/5
SemaDeclAttr.cpp
-
test/Misc/
-
Misc/
-
pragma-attribute-supported-attributes-list.test
-
unittests/AST/
-
AST/
-
CMakeLists.txt
6/12
RandstructTest.cpp

Differential D121556

[randstruct] Add randomize structure layout support
ClosedPublic

Authored by void on Mar 13 2022, 1:41 PM.

Download Raw Diff

Details

Reviewers

aaron.ballman
jfb
connorkuehl
rsmith
timpugh
MaskRay

Commits

rG7aa8c38a9e19: [randstruct] Add randomize structure layout support
rG3f0587d0c668: [randstruct] Add randomize structure layout support

Summary

The Randstruct feature is a compile-time hardening technique that
randomizes the field layout for designated structures of a code base.
Admittedly, this is mostly useful for closed-source releases of code,
since the randomization seed would need to be available for public and
open source applications.

Why implement it? This patch set enhances Clang’s feature parity with
that of GCC which already has the Randstruct feature. It's used by the
Linux kernel in certain structures to help thwart attacks that depend on
structure layouts in memory.

This patch set is a from-scratch reimplementation of the Randstruct
feature that was originally ported to GCC. The patches for the GCC
implementation can be found here:

https://www.openwall.com/lists/kernel-hardening/2017/04/06/14

Link: https://lists.llvm.org/pipermail/cfe-dev/2019-March/061607.html
Co-authored-by: Cole Nixon <nixontcole@gmail.com>
Co-authored-by: Connor Kuehl <cipkuehl@gmail.com>
Co-authored-by: James Foster <jafosterja@gmail.com>
Co-authored-by: Jeff Takahashi <jeffrey.takahashi@gmail.com>
Co-authored-by: Jordan Cantrell <jordan.cantrell@mail.com>
Co-authored-by: Nikk Forbus <nicholas.forbus@gmail.com>
Co-authored-by: Tim Pugh <nwtpugh@gmail.com>
Co-authored-by: Bill Wendling <isanbard@gmail.com>
Signed-off-by: Bill Wendling <isanbard@gmail.com>

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

void created this revision.Mar 13 2022, 1:41 PM

Herald added a reviewer: aaron.ballman. · View Herald TranscriptMar 13 2022, 1:41 PM

Herald added a project: Restricted Project. · View Herald Transcript

Herald added subscribers: dang, jdoerfert, mgorny. · View Herald Transcript

void requested review of this revision.Mar 13 2022, 1:41 PM

Herald added a project: Restricted Project. · View Herald TranscriptMar 13 2022, 1:41 PM

Herald added a subscriber: cfe-commits. · View Herald Transcript

This is a soft reworking of @connorkuehl's work in https://reviews.llvm.org/D59254. Please take a look!

tschuett added a subscriber: tschuett.Mar 13 2022, 2:12 PM

Harbormaster completed remote builds in B154002: Diff 414951.Mar 13 2022, 2:36 PM

Thank you for working on this new security feature! I like it and I think it's heading in the right direction.

Can you please add a release note for the new functionality?

This is missing tests for the Driver diagnostics, the Sema diagnostics (including existing diagnostics like writing the attribute on the wrong subject or giving it args when it doesn't expect them, wrong language mode, etc), and the CodeGen behavior, so those should be added. Also, the Windows pre-commit CI is failing:

Failed Tests (7):
  Clang-Unit :: AST/./ASTTests.exe/StructureLayoutRandomization.AnonymousStructsAndUnionsRetainFieldOrder
  Clang-Unit :: AST/./ASTTests.exe/StructureLayoutRandomization.CheckAdjacentBitfieldsRemainAdjacentAfterRandomization
  Clang-Unit :: AST/./ASTTests.exe/StructureLayoutRandomization.CheckVariableLengthArrayMemberRemainsAtEndOfStructure
  Clang-Unit :: AST/./ASTTests.exe/StructureLayoutRandomization.MarkedRandomize
  Clang-Unit :: AST/./ASTTests.exe/StructureLayoutRandomization.MultipleAttrsRandomize
  Clang-Unit :: AST/./ASTTests.exe/StructureLayoutRandomization.RandstructDoesNotOverrideThePackedAttr
  Clang-Unit :: AST/./ASTTests.exe/StructureLayoutRandomization.ZeroWidthBitfieldsSeparateAllocationUnits
 
Testing Time: 676.49s
  Skipped          :     4
  Unsupported      :   202
  Passed           : 29832
  Expectedly Failed:    31
  Failed           :     7

clang/include/clang/AST/Decl.h
2842	It's unfortunate that every field node in the AST is now going to be 4 bytes larger for this feature; I worry about the extra memory pressure from the additional overhead, so if there's a way for us to save some space here, I think it might be worth it. (I'm worried that our max template instantiation depth will shrink because of this.)
4056	A setter that is marked `const` does not spark joy for me... Can we use friendship rather than mutability to solve this?
clang/include/clang/AST/Randstruct.h
35	Doing this with a global variable is unfortunate; it could make things harder when we multithread the frontend. Can we solve this without a global? (And if not, does this global need to be a `ManagedStatic`?)
clang/include/clang/Basic/Attr.td
3954–3955	Microsoft does not implement this `__declspec`, correct? If they don't, we shouldn't either (even if GCC does) unless there's a very good reason to do so. That's Microsoft's design space we're encroaching on. I'd also like to understand the justification for adding a new keyword for this.
3964–3965	Same here.
clang/include/clang/Basic/AttrDocs.td
6389	I think it would help to explain the effects of this attribute in conjunction with structure packing techniques (the `packed` attribute and bit-fields) and whether any attempt is made to keep the structure packed or those fields together or not. I'd expect no such attempt is made, but people may want to know "attempts to pack this structure" and "randomize this structure layout" are not compatible. (We may want to diagnose in the case of seeing the `packed` attribute, in fact.) We should also be more clear that the seed specified does not have to be numeric in nature (from the file or when directly on the command line).
clang/lib/AST/DeclBase.cpp
28 ↗	(On Diff #414951)	Is this include necessary?
clang/lib/AST/Randstruct.cpp
73	This size seems as defensible as most others; do you plan to do more here, or should this comment be removed?
100	Oh cool, we do bit-field runs! How should we handle anonymous bit-fields (if anything special should be done for them at all)? People usually use them for padding between bit-fields, so it's not clear to me how to treat them when randomizing.
180	This one seems a bit large to me; any reason not to use `16` again?
186
clang/lib/Parse/ParseDeclCXX.cpp
2063–2069 ↗	(On Diff #414951)	I think this works okay for C, but I think if we ever attempted to provide this functionality in C++, the calls to `addDecl()` would be rather expensive because it eventually calls `addedMember()` which calculates information about the structure (whether it's copy constructible, has a trivial destructor, etc) and we don't need to redo any of that work. However, for now, I think this is fine.
clang/lib/Sema/AnalysisBasedWarnings.cpp
2166–2167 ↗	(On Diff #414951)
2503 ↗	(On Diff #414951)	No, this function is only called when popping a function scope, and so the only declaration it has access to is the `FunctionDecl`. Or do I misunderstand the question?
clang/lib/Sema/SemaDecl.cpp
27	Is this include necessary?
clang/lib/Sema/SemaDeclAttr.cpp
8653–8659	I don't think this is sufficient. Consider redeclaration merging cases: struct [[gnu::randomize_layout]] S; struct [[gnu::no_randomize_layout]] S {}; struct [[gnu::no_randomize_layout]] T; struct [[gnu::randomize_layout]] T {}; I think if the user accidentally does something like this, it should be diagnosed. I would have assumed this would warrant an error diagnostic because the user is obviously confused as to what they want, but it seems GCC ignores the subsequent diagnostic with a warning: https://godbolt.org/z/1q8dazYPW. There's also the "confused attribute list" case which GCC just... does... things... with: https://godbolt.org/z/rnfsn7hG1. I think we want to behave more consistently with how we treat these cases. Either way, we shouldn't be silent.

aaron.ballman mentioned this in D120857: WIP [randstruct] Add randomize structure layout support.Mar 17 2022, 5:25 AM

void marked 7 inline comments as done.Mar 17 2022, 4:13 PM

void added inline comments.

clang/include/clang/AST/Decl.h
4056	It was done to prevent a `const_cast`. It looks like the other setters are non-const. I'll see if I can get around that.
clang/include/clang/AST/Randstruct.h
35	Maybe this could be moved to `LangOpts`?
clang/include/clang/Basic/Attr.td
3954–3955	Good point. I'll remove those.
clang/lib/AST/DeclBase.cpp
28 ↗	(On Diff #414951)	Hmm...that must have been from a previous change. Removed.
clang/lib/AST/Randstruct.cpp
73	It's probably not worth looking into unless it becomes an issue. I'll remove it.
100	Good question! I'm not sure either. On one hand, I'm rather concerned about changing bitfield order in general, but it appears to be something that GCC's plugin does, so...
180	The code above looks to apply mostly to bitfield runs. This is for all fields in a structure. I assumed (without proof) that this will always be larger than the bitfield runs. :-)
clang/lib/Parse/ParseDeclCXX.cpp
2063–2069 ↗	(On Diff #414951)	God help the person who does this for C++! :-) Joking aside, supporting C++ will probably result in a almost total rewrite of this feature.
clang/lib/Sema/AnalysisBasedWarnings.cpp
2503 ↗	(On Diff #414951)	Sounds good to me. Is this the best place for this check then?
clang/lib/Sema/SemaDeclAttr.cpp
8653–8659	The GCC feature is done via a plugin in Linux. So godbolt probably won't work in this case. I'll check to see how GCC responds to these attribute situations.

General cleanup of code. Removing unneeded headers and comments. Removing a "const" from a setter. Not defining this for MS's declspecs or making the attributes keywords.

Harbormaster completed remote builds in B154951: Diff 416354.Mar 17 2022, 6:38 PM

aaron.ballman added inline comments.Mar 18 2022, 5:52 AM

clang/include/clang/AST/Randstruct.h
35	That's a really good idea, let's go with that approach.
clang/include/clang/Basic/DiagnosticSemaKinds.td
11580
clang/lib/AST/Randstruct.cpp
100	Yeah, I was really surprised about bit-fields as well. I'm especially concerned that bit-fields which were [un]carefully straddling allocation unit boundaries might be rearranged such that subtle atomic bugs and whatnot will be exposed. If we find these sort of concerns are valid in real world code, we may want to add a second command line option (off-by-default, perhaps) for enabling rearranging bit-fields. But for now, I think it's fine to follow GCC's lead here.
180	I think that's a safe assumption and it's probably not worth worrying about overly much. It's more that 16 bit-fields seemed like it would be large enough to cover most bit-fields in a class while still being "small", but 64 fields seems likely to be way larger than most structures will need and isn't very small. That said, I don't have a strong feeling here and I think the numbers are defensible unless we measure something that says otherwise.
clang/lib/Sema/AnalysisBasedWarnings.cpp
2503 ↗	(On Diff #414951)	I'm not convinced it is the best place for it -- analysis-based warnings are typically ones that require a CFG to be analyzed and so they are only run once we know the function body itself is valid (they also typically require the user to manually enable the checks -- your check runs always, even if the user hasn't enabled struct randomization, so it walks a lot of ASTs it doesn't need to). Your check doesn't require a CFG at all and it seems like it can be done purely when building the AST. I think a better place for this checking is in SemaCast.cpp in the `CastOperation` class.

Move SEED into LangOpts.

Harbormaster completed remote builds in B155287: Diff 416808.Mar 20 2022, 6:06 PM

Fix how the command line flags are handled.

Herald added a subscriber: MaskRay. · View Herald TranscriptMar 25 2022, 1:00 PM

Add "err_" prefix to error message.

clang/include/clang/AST/Decl.h
2842	Turns out this field wasn't used. I removed it.
clang/include/clang/Basic/AttrDocs.td
6389	Having randomization and the `packed` attribute probably isn't the best option. I'll modify things to prevent that from happening.

Harbormaster completed remote builds in B156346: Diff 418307.Mar 25 2022, 2:28 PM

Move casting check into the SemaCast where it belongs.

void marked 2 inline comments as done.Mar 25 2022, 4:19 PM

Harbormaster completed remote builds in B156385: Diff 418356.Mar 26 2022, 3:24 AM

Make sure the command line seed is properly passed on to each front-end level.
Some general cleanups.

Harbormaster completed remote builds in B156477: Diff 418480.Mar 28 2022, 11:43 AM

Moved the randomization to a better spot.

Friendly ping for review. :-)

Harbormaster completed remote builds in B157065: Diff 419282.Mar 31 2022, 4:57 AM

Generally I think things are looking pretty good, but there's still an open question and Precommit CI is still failing on Windows:

Failed Tests (7):
  Clang-Unit :: AST/./ASTTests.exe/StructureLayoutRandomization.AnonymousStructsAndUnionsRetainFieldOrder
  Clang-Unit :: AST/./ASTTests.exe/StructureLayoutRandomization.CheckAdjacentBitfieldsRemainAdjacentAfterRandomization
  Clang-Unit :: AST/./ASTTests.exe/StructureLayoutRandomization.CheckVariableLengthArrayMemberRemainsAtEndOfStructure
  Clang-Unit :: AST/./ASTTests.exe/StructureLayoutRandomization.MarkedRandomize
  Clang-Unit :: AST/./ASTTests.exe/StructureLayoutRandomization.MultipleAttrsRandomize
  Clang-Unit :: AST/./ASTTests.exe/StructureLayoutRandomization.RandstructDoesNotOverrideThePackedAttr
  Clang-Unit :: AST/./ASTTests.exe/StructureLayoutRandomization.ZeroWidthBitfieldsSeparateAllocationUnits

clang/include/clang/Basic/Attr.td
3961–3975	This gets rid of one of the AST nodes and uses an accessor instead. e.g., the user can still write `[[gnu::no_randomize_layout]]` on a struct declaration, we'll generate a `RandomizeLayoutAttr` for it, and you can call `->isDisabled()` on an object to tell whether it's the `no_` spelling or not. I don't feel super strong about this change, so if it turns out to make code elsewhere significantly worse, feel free to ignore. My reasoning for combing is that the `no` variant doesn't carry much semantic weight but eats up an attribute kind value just the same; it seemed like a heavy use for an AST node.
clang/lib/Sema/SemaDeclAttr.cpp
8653–8659	Thoughts on this?

In D121556#3419184, @aaron.ballman wrote:

Generally I think things are looking pretty good, but there's still an open question and Precommit CI is still failing on Windows:

Failed Tests (7):
  Clang-Unit :: AST/./ASTTests.exe/StructureLayoutRandomization.AnonymousStructsAndUnionsRetainFieldOrder
  Clang-Unit :: AST/./ASTTests.exe/StructureLayoutRandomization.CheckAdjacentBitfieldsRemainAdjacentAfterRandomization
  Clang-Unit :: AST/./ASTTests.exe/StructureLayoutRandomization.CheckVariableLengthArrayMemberRemainsAtEndOfStructure
  Clang-Unit :: AST/./ASTTests.exe/StructureLayoutRandomization.MarkedRandomize
  Clang-Unit :: AST/./ASTTests.exe/StructureLayoutRandomization.MultipleAttrsRandomize
  Clang-Unit :: AST/./ASTTests.exe/StructureLayoutRandomization.RandstructDoesNotOverrideThePackedAttr
  Clang-Unit :: AST/./ASTTests.exe/StructureLayoutRandomization.ZeroWidthBitfieldsSeparateAllocationUnits

Strange. I wonder if Windows is using a different algorithm for the randomization function. I'll investigate and see what can be done here.

Simplify the attributes by using an accessor instead of a separate "no_ranomize_layout" attribute.

Release note is missing

In D121556#3419184, @aaron.ballman wrote:

Generally I think things are looking pretty good, but there's still an open question and Precommit CI is still failing on Windows:

Failed Tests (7):
  Clang-Unit :: AST/./ASTTests.exe/StructureLayoutRandomization.AnonymousStructsAndUnionsRetainFieldOrder
  Clang-Unit :: AST/./ASTTests.exe/StructureLayoutRandomization.CheckAdjacentBitfieldsRemainAdjacentAfterRandomization
  Clang-Unit :: AST/./ASTTests.exe/StructureLayoutRandomization.CheckVariableLengthArrayMemberRemainsAtEndOfStructure
  Clang-Unit :: AST/./ASTTests.exe/StructureLayoutRandomization.MarkedRandomize
  Clang-Unit :: AST/./ASTTests.exe/StructureLayoutRandomization.MultipleAttrsRandomize
  Clang-Unit :: AST/./ASTTests.exe/StructureLayoutRandomization.RandstructDoesNotOverrideThePackedAttr
  Clang-Unit :: AST/./ASTTests.exe/StructureLayoutRandomization.ZeroWidthBitfieldsSeparateAllocationUnits

Do you have a URL for this failure or the output message?

In D121556#3427604, @xbolva00 wrote:

Release note is missing

Sorry about that. I'll add one with the next update.

In D121556#3427620, @void wrote:

In D121556#3419184, @aaron.ballman wrote:

Generally I think things are looking pretty good, but there's still an open question and Precommit CI is still failing on Windows:

Failed Tests (7):
  Clang-Unit :: AST/./ASTTests.exe/StructureLayoutRandomization.AnonymousStructsAndUnionsRetainFieldOrder
  Clang-Unit :: AST/./ASTTests.exe/StructureLayoutRandomization.CheckAdjacentBitfieldsRemainAdjacentAfterRandomization
  Clang-Unit :: AST/./ASTTests.exe/StructureLayoutRandomization.CheckVariableLengthArrayMemberRemainsAtEndOfStructure
  Clang-Unit :: AST/./ASTTests.exe/StructureLayoutRandomization.MarkedRandomize
  Clang-Unit :: AST/./ASTTests.exe/StructureLayoutRandomization.MultipleAttrsRandomize
  Clang-Unit :: AST/./ASTTests.exe/StructureLayoutRandomization.RandstructDoesNotOverrideThePackedAttr
  Clang-Unit :: AST/./ASTTests.exe/StructureLayoutRandomization.ZeroWidthBitfieldsSeparateAllocationUnits

Do you have a URL for this failure or the output message?

https://reviews.llvm.org/D121556
->
Harbormaster completed remote builds in B156477: Diff 418480. (https://reviews.llvm.org/harbormaster/build/233718/)
->
x64 windows failed (https://buildkite.com/llvm-project/premerge-checks/builds/86170#c5c61c34-004b-4e62-a3b4-4654fb8d1dc7)

Add an entry in the Release Notes.
Change the command line flags to better match the attribute naming.

First pass at fixing the Windows unit test errors.

Harbormaster completed remote builds in B157830: Diff 420312.Apr 4 2022, 3:20 PM

Second attempt to fix Windows errors. Expecting one more iteration.

Harbormaster completed remote builds in B157848: Diff 420332.Apr 4 2022, 4:46 PM

void added inline comments.Apr 5 2022, 12:35 PM

clang/lib/Sema/SemaDeclAttr.cpp
8653–8659	Okay, finally tested it with the GCC plugin. It doesn't produce a diagnostic. I'm not sure if that's the correct behavior, but at least it matches. How is such a thing handled with similar attributes?

aaron.ballman added inline comments.Apr 6 2022, 11:27 AM

clang/include/clang/AST/Randstruct.h
32–36	Might as well be consistent with the other type names.
clang/include/clang/Driver/Options.td
2125–2136	You should condense these a bit to keep the style the same as the surrounding code.
clang/lib/AST/Randstruct.cpp
72–76	Default ctor already does the right thing, so no need to do the initialization.
clang/lib/Sema/SemaDeclAttr.cpp
8653–8659	Okay, finally tested it with the GCC plugin. It doesn't produce a diagnostic. I'm not sure if that's the correct behavior, but at least it matches. How is such a thing handled with similar attributes? As you might be unsurprised to learn: inconsistently. :-D However, we typically try to make attributes mutually exclusive (e.g., `hot` and `cold`, `global` and `device`, etc). Unfortunately, I gave you some advice earlier to combine into one semantic attribute and that may have been less-than-awesome advice. Attr.td supports the ability to trivially define to attributes as mutually exclusive (e.g., `def : MutualExclusions<[Hot, Cold]>;` but this works on the attribute level and not the spelling level. It's probably easier for you to split the definition back into two attributes in Attr.td and just use the `MutualExclusions` support we already have. Sorry for that churn! If you wanted to (and I certainly don't insist), another option would be to modify ClangAttrEmitter.cpp and Attr.td to support mutual exclusion syntax on the spelling level, so you could do something like: def : MutualExclusions<[ RandomizeLayout<GCC<"randomize_layout">>, RandomizeLayout<GCC<"no_randomize_layout">> ]>; where you specify the attribute and the spelling, then you could leave `RandomizeLayout` as a single semantic spelling. But again, I don't insist.
clang/unittests/AST/RandstructTest.cpp
155–159	Any idea what's gone wrong here? (Do we have a bug to file because these come out reversed? If so, can you add a FIXME comment here that we expect this test to change someday?)
209–214	Is the assertion unrelated to the changes in your patch and you just happen to hit it with this test? (I get worried when tests trigger assertions.)

Don't re-randomize a structure. Also some minor style changes.

clang/lib/Sema/SemaDecl.cpp
27	Yes. There's a call to `randstruct::randomizeStructureLayout` below.
clang/unittests/AST/RandstructTest.cpp
155–159	I think it's just a case where Windows' algorithm for `std::mt19937` is subtly different than the one for Linux. I'm not sure we should worry about it too much, to be honest. As long as it produces a deterministic output on the same platform we should be fine. I think it's expected that the same compiler/environment is used during all compilation steps. (I.e., one's not going to compile a module on Windows for a kernel build on Linux.)
209–214	To be honest, I haven't looked at these tests. I inherited them from the previous code base. I'll revisit these and probably delete them if they're not useful.

Harbormaster completed remote builds in B158314: Diff 420972.Apr 6 2022, 2:56 PM

Recap: aside from the function merging behavior and the possible question about assertions in tests, I think this is ready to go.

clang/lib/Sema/SemaDecl.cpp
27	Oh derp, I missed that. :-)
clang/unittests/AST/RandstructTest.cpp
155–159	Okay, that's a great reason for this to be left alone.
209–214	Okay, that sounds good to me.

dexonsmith removed a subscriber: dexonsmith.Apr 7 2022, 12:14 PM

Make the randomize_layout and no_randomize_layout attributes mutually exclutsive.

Harbormaster completed remote builds in B158587: Diff 421358.Apr 7 2022, 4:41 PM

Fix bad formatting.

Harbormaster completed remote builds in B158624: Diff 421416.Apr 7 2022, 10:54 PM

Precommit CI is failing on one test:

Failed Tests (1):

Clang :: Misc/pragma-attribute-supported-attributes-list.test

but with that test fixed, this LGTM! (Feel free to land with the test fixed unless you want another round of review.) Thank you for the awesome new security feature!

This revision is now accepted and ready to land.Apr 8 2022, 4:22 AM

Fix simple test.

In D121556#3438722, @aaron.ballman wrote:
Precommit CI is failing on one test:

Failed Tests (1):
Clang :: Misc/pragma-attribute-supported-attributes-list.test
but with that test fixed, this LGTM! (Feel free to land with the test fixed unless you want another round of review.) Thank you for the awesome new security feature!

That'll teach me not to run tests. :-)

Thanks, Aaron!

This revision was landed with ongoing or failed builds.Apr 8 2022, 12:48 PM

Closed by commit rG3f0587d0c668: [randstruct] Add randomize structure layout support (authored by connorkuehl, committed by void). · Explain Why

This revision was automatically updated to reflect the committed changes.

void added a commit: rG3f0587d0c668: [randstruct] Add randomize structure layout support.

Harbormaster completed remote builds in B158769: Diff 421616.Apr 8 2022, 1:45 PM

Hi, the test you added is failing on the PS4 Windows bot https://lab.llvm.org/buildbot/#/builders/216/builds/2647.

Can you take a look?

In D121556#3440089, @dyung wrote:

Hi, the test you added is failing on the PS4 Windows bot https://lab.llvm.org/buildbot/#/builders/216/builds/2647.

Can you take a look?

Crud! I thought I got all of the Windows issues. I'll fix soon. Sorry about that!

Looks like this breaks tests on mac: http://45.33.8.238/macm1/32938/step_7.txt

Please take a look, and revert for now if it takes a while to fix.

In D121556#3440290, @thakis wrote:

Looks like this breaks tests on mac: http://45.33.8.238/macm1/32938/step_7.txt

Please take a look, and revert for now if it takes a while to fix.

Ugh! This sucks. I just removed the test until I can get it to work on all platforms.

It's more important to remove it from the cmakelists file than to delete the source file ;)

Please revert the whole thing instead of just removing the test coverage though. You can reland when the test is figured out, and that makes sure this doesn't stay in without coverage.

In D121556#3440308, @thakis wrote:

It's more important to remove it from the cmakelists file than to delete the source file ;)

Please revert the whole thing instead of just removing the test coverage though. You can reland when the test is figured out, and that makes sure this doesn't stay in without coverage.

I'd rather not re-land the whole thing. The test isn't that important, and quite frankly it might not be possible to test it with the unittest. Too many architectures seem to have a different randomization algorithm.

Why? This is a fairly small CL. It should be easy to reland, and there shouldn't be any rebasing pain.

You should at least check with your reviewers that they're fine relanding this without test.

You can use llvm::shuffle to avoid STL impl difference

clang/lib/AST/Randstruct.cpp
161	`llvm::shuffle` to avoid

MaskRay mentioned this in rG46b2a463bdef: [randstruct] Use llvm::shuffle to avoid STL impl difference after D121556.Apr 8 2022, 6:14 PM

Windows test is still failing after the std::shuffle => llvm::shuffle change, guess time for revert.

../../clang/unittests/AST/RandstructTest.cpp(165): error: Expected equality of these values:
  Expected
    Which is: { "lettuce", "bacon", "mayonnaise", "tomato" }
  getFieldNamesFromRecord(RD)
    Which is: { "bacon", "lettuce", "mayonnaise", "tomato" }
[  FAILED  ] StructureLayoutRandomization.MarkedRandomize (47 ms)
[----------] 1 test from StructureLayoutRandomization (47 ms total)

[----------] Global test environment tear-down
[==========] 1 test from 1 test suite ran. (47 ms total)
[  PASSED  ] 0 tests.
[  FAILED  ] 1 test, listed below:
[  FAILED  ] StructureLayoutRandomization.MarkedRandomize

 1 FAILED TEST

********************
Testing:  0.. 10.. 20.. 30.. 40.. 50.. 60.. 70.. 80.. 90.. 
********************
Failed Tests (1):
  Clang-Unit :: AST/./ASTTests.exe/StructureLayoutRandomization.MarkedRandomize

MaskRay reopened this revision.Apr 8 2022, 6:37 PM

This revision is now accepted and ready to land.Apr 8 2022, 6:37 PM

MaskRay requested changes to this revision.Apr 8 2022, 6:37 PM

This revision now requires changes to proceed.Apr 8 2022, 6:37 PM

Herald added a subscriber: StephenFan. · View Herald TranscriptApr 8 2022, 6:37 PM

MaskRay added a reverting change: rGa58d0af05803: Revert D121556 "[randstruct] Add randomize structure layout support".Apr 8 2022, 6:37 PM

MaskRay added inline comments.Apr 8 2022, 7:39 PM

clang/lib/AST/Randstruct.cpp
157
clang/lib/Driver/ToolChains/Clang.cpp
5912	`A->render(Args, CmdArgs);`
5915	`A->render(Args, CmdArgs);`
clang/lib/Frontend/CompilerInvocation.cpp
4244	Why is -frandomize-layout-seed-file= needed? Can't the user use something like -frandomize-layout-seed=$(<file) ? Or backquotes for POSIX sh compatibility? The impl uses the very uncommon header <fstream>.
clang/lib/Sema/SemaDecl.cpp
17976	32 may be too large. Consider the default inlined number of elements (fit the vector in 64 bytes).
clang/unittests/AST/RandstructTest.cpp
42	Use static. See https://llvm.org/docs/CodingStandards.html#anonymous-namespaces
63	Use static. See https://llvm.org/docs/CodingStandards.html#anonymous-namespaces

In D121556#3440383, @MaskRay wrote:

Windows test is still failing after the std::shuffle => llvm::shuffle change, guess time for revert.

../../clang/unittests/AST/RandstructTest.cpp(165): error: Expected equality of these values:
  Expected
    Which is: { "lettuce", "bacon", "mayonnaise", "tomato" }
  getFieldNamesFromRecord(RD)
    Which is: { "bacon", "lettuce", "mayonnaise", "tomato" }
[  FAILED  ] StructureLayoutRandomization.MarkedRandomize (47 ms)
[----------] 1 test from StructureLayoutRandomization (47 ms total)

[----------] Global test environment tear-down
[==========] 1 test from 1 test suite ran. (47 ms total)
[  PASSED  ] 0 tests.
[  FAILED  ] 1 test, listed below:
[  FAILED  ] StructureLayoutRandomization.MarkedRandomize

 1 FAILED TEST

********************
Testing:  0.. 10.. 20.. 30.. 40.. 50.. 60.. 70.. 80.. 90.. 
********************
Failed Tests (1):
  Clang-Unit :: AST/./ASTTests.exe/StructureLayoutRandomization.MarkedRandomize

Did this fail after the test was removed? If not, then I don't appreciate you reverting my patch.

void added inline comments.Apr 8 2022, 10:25 PM

clang/lib/Frontend/CompilerInvocation.cpp
4244	That seems a bit clunky to me. If you don't like it, I can just remove the option entirely. Wish you would have mentioned these concerns earlier...like in the several weeks this has been in review. The `fstream` header is used in other places. If there's a better alternative, please suggest one.
clang/lib/Sema/SemaDecl.cpp
17976	Linux has many structures with far more fields. In fact, it's probably not useful to randomize structures with a small number of fields.
clang/unittests/AST/RandstructTest.cpp
42	Nah.

Fix test

MaskRay added inline comments.Apr 8 2022, 11:48 PM

clang/lib/Frontend/CompilerInvocation.cpp
4244	I was a subscriber only vaguely aware of this patch and mostly absent in the past 2 weeks on trips (which meant I spent really little time on reading patches) :) I just hope that every option added is useful. A thing that is not so necessarily can be delayed until it is actually needed. Just noticed that there is test coverage gap that the cc1 options are completely untested. There are unit tests, but no lit test.

Harbormaster completed remote builds in B158827: Diff 421692.Apr 9 2022, 12:30 AM

aaron.ballman added inline comments.Apr 9 2022, 5:29 AM

clang/lib/Frontend/CompilerInvocation.cpp
4244	I just hope that every option added is useful. A thing that is not so necessarily can be delayed until it is actually needed. I think this option is useful. Windows' cmd.exe doesn't make it particularly trivial to pipe contents to an argument in a command line, but also, IDEs don't always make it obvious how you would pipe the seed content into a file either. I don't see an issue with using `fstream` either; we use it when necessary.
clang/unittests/AST/RandstructTest.cpp
42	FWIW, I agree with this feedback -- please follow the coding standards unless there's strong incentive not to (which I don't think there is here). Sorry for not catching this before during review.

MaskRay added inline comments.Apr 9 2022, 12:22 PM

clang/lib/Frontend/CompilerInvocation.cpp
4244	Ah, LG! Just need some tests for the two -f -cc1 options.

This revision was not accepted when it landed; it landed in state Needs Review.Apr 9 2022, 1:15 PM

Closed by commit rG7aa8c38a9e19: [randstruct] Add randomize structure layout support (authored by connorkuehl, committed by void). · Explain Why

This revision was automatically updated to reflect the committed changes.

void added a commit: rG7aa8c38a9e19: [randstruct] Add randomize structure layout support.

jyknight added a subscriber: jyknight.Apr 11 2022, 3:16 PM

jyknight added inline comments.

clang/unittests/AST/RandstructTest.cpp
155–159	I do think that as an ideal, a compile run on one host platform ought to produce the exact same output as a compile run on another (presuming a triple and sysroot are provided, and mumblemumble file-paths). But I have no idea how close or far we currently are from such an ideal.

The relanded form still lacks the -f option testing I requested.

void added inline comments.Apr 11 2022, 3:28 PM

clang/unittests/AST/RandstructTest.cpp
155–159	I completely agree. Alternatively, we could use some other RNG-type algorithm that will be the same across platforms.

In D121556#3444006, @MaskRay wrote:

The relanded form still lacks the -f option testing I requested.

The unit test tests the -frandomize-layout-seed= option already.

7aa8c38a9e190aea14116028c38b1d9f54cbb0b3 still uses std::shuffle, not incorporating the llvm::shuffle fixes I did.

In D121556#3444015, @void wrote:

In D121556#3444006, @MaskRay wrote:

The relanded form still lacks the -f option testing I requested.

The unit test tests the -frandomize-layout-seed= option already.

OK, I see. Then test -frandomize-layout-seed-file= as well? I cannot find its test.

In D121556#3444026, @MaskRay wrote:

In D121556#3444015, @void wrote:

In D121556#3444006, @MaskRay wrote:

The relanded form still lacks the -f option testing I requested.

The unit test tests the -frandomize-layout-seed= option already.

OK, I see. Then test -frandomize-layout-seed-file= as well? I cannot find its test.

Okay, I'll add a test for that.

In D121556#3444021, @MaskRay wrote:

7aa8c38a9e190aea14116028c38b1d9f54cbb0b3 still uses std::shuffle, not incorporating the llvm::shuffle fixes I did.

You said it was still failing after the std::shuffle to llvm::shuffle change.

In D121556#3444131, @void wrote:

In D121556#3444021, @MaskRay wrote:

7aa8c38a9e190aea14116028c38b1d9f54cbb0b3 still uses std::shuffle, not incorporating the llvm::shuffle fixes I did.

You said it was still failing after the std::shuffle to llvm::shuffle change.

By saying it still failed, I meant there were other Windows vs non-Windows differences, not that std::shuffle=>llvm::shuffle was an unintended change.

I wondered why the test did not fail again when you re-landed it. Now I see: you simply removed all order checks like EXPECT_EQ(Expected, getFieldNamesFromRecord(RD));
The tests seem overly relaxing and no longer serve the original purposes to catch errors (if the algorithm is changed to not randomize at all, I suspect the tests will pass as well).

In D121556#3444221, @MaskRay wrote:

In D121556#3444131, @void wrote:

In D121556#3444021, @MaskRay wrote:

7aa8c38a9e190aea14116028c38b1d9f54cbb0b3 still uses std::shuffle, not incorporating the llvm::shuffle fixes I did.

You said it was still failing after the std::shuffle to llvm::shuffle change.

By saying it still failed, I meant there were other Windows vs non-Windows differences, not that std::shuffle=>llvm::shuffle was an unintended change.

So does it work or not? If I change it to llvm::shuffle, will the tests fail or will they pass regardless of the platform?

In D121556#3444260, @void wrote:

In D121556#3444221, @MaskRay wrote:

In D121556#3444131, @void wrote:

In D121556#3444021, @MaskRay wrote:

7aa8c38a9e190aea14116028c38b1d9f54cbb0b3 still uses std::shuffle, not incorporating the llvm::shuffle fixes I did.

You said it was still failing after the std::shuffle to llvm::shuffle change.

By saying it still failed, I meant there were other Windows vs non-Windows differences, not that std::shuffle=>llvm::shuffle was an unintended change.

So does it work or not? If I change it to llvm::shuffle, will the tests fail or will they pass regardless of the platform?

If you change std::shuffle to llvm::shuffle and add back tests like EXPECT_EQ(Expected, getFieldNamesFromRecord(RD));, the test will likely fail on Windows.
I recall that @aaron.ballman uses Windows and may help you find the differences.
I tend to agree with your I think it's just a case where Windows' algorithm for std::mt19937 is subtly different than the one for Linux.

In D121556#3444434, @MaskRay wrote:

In D121556#3444260, @void wrote:

In D121556#3444221, @MaskRay wrote:

In D121556#3444131, @void wrote:

In D121556#3444021, @MaskRay wrote:

7aa8c38a9e190aea14116028c38b1d9f54cbb0b3 still uses std::shuffle, not incorporating the llvm::shuffle fixes I did.

You said it was still failing after the std::shuffle to llvm::shuffle change.

By saying it still failed, I meant there were other Windows vs non-Windows differences, not that std::shuffle=>llvm::shuffle was an unintended change.

So does it work or not? If I change it to llvm::shuffle, will the tests fail or will they pass regardless of the platform?

If you change std::shuffle to llvm::shuffle and add back tests like EXPECT_EQ(Expected, getFieldNamesFromRecord(RD));, the test will likely fail on Windows.
I recall that @aaron.ballman uses Windows and may help you find the differences.

It was also failing on MacOS. And it failed a different way on another Windows version. That's why I removed the test for the deterministic shuffle.

I tend to agree with your I think it's just a case where Windows' algorithm for std::mt19937 is subtly different than the one for Linux.

The only other option would be to add the EXPECT_* stuff on one platform (like Linux). I suppose that would be better than nothing.

In D121556#3444837, @void wrote:

In D121556#3444434, @MaskRay wrote:

In D121556#3444260, @void wrote:

In D121556#3444221, @MaskRay wrote:

In D121556#3444131, @void wrote:

In D121556#3444021, @MaskRay wrote:

7aa8c38a9e190aea14116028c38b1d9f54cbb0b3 still uses std::shuffle, not incorporating the llvm::shuffle fixes I did.

You said it was still failing after the std::shuffle to llvm::shuffle change.

By saying it still failed, I meant there were other Windows vs non-Windows differences, not that std::shuffle=>llvm::shuffle was an unintended change.

So does it work or not? If I change it to llvm::shuffle, will the tests fail or will they pass regardless of the platform?

If you change std::shuffle to llvm::shuffle and add back tests like EXPECT_EQ(Expected, getFieldNamesFromRecord(RD));, the test will likely fail on Windows.
I recall that @aaron.ballman uses Windows and may help you find the differences.

It was also failing on MacOS. And it failed a different way on another Windows version. That's why I removed the test for the deterministic shuffle.

I tend to agree with your I think it's just a case where Windows' algorithm for std::mt19937 is subtly different than the one for Linux.

The only other option would be to add the EXPECT_* stuff on one platform (like Linux). I suppose that would be better than nothing.

Here's what has me confused... You're using std::mt19937 which is a very specific random number algorithm and you're giving it the same seed. I don't think we *should* be getting different behavior from the random number generator across platforms. The issue is the call to std::shuffle (see https://en.cppreference.com/w/cpp/algorithm/random_shuffle#Notes), so I think using llvm::shuffle will fix all the tests on all the platforms.

In D121556#3445124, @aaron.ballman wrote:

In D121556#3444837, @void wrote:

In D121556#3444434, @MaskRay wrote:

In D121556#3444260, @void wrote:

In D121556#3444221, @MaskRay wrote:

In D121556#3444131, @void wrote:

In D121556#3444021, @MaskRay wrote:

7aa8c38a9e190aea14116028c38b1d9f54cbb0b3 still uses std::shuffle, not incorporating the llvm::shuffle fixes I did.

You said it was still failing after the std::shuffle to llvm::shuffle change.

By saying it still failed, I meant there were other Windows vs non-Windows differences, not that std::shuffle=>llvm::shuffle was an unintended change.

So does it work or not? If I change it to llvm::shuffle, will the tests fail or will they pass regardless of the platform?

If you change std::shuffle to llvm::shuffle and add back tests like EXPECT_EQ(Expected, getFieldNamesFromRecord(RD));, the test will likely fail on Windows.
I recall that @aaron.ballman uses Windows and may help you find the differences.

It was also failing on MacOS. And it failed a different way on another Windows version. That's why I removed the test for the deterministic shuffle.

I tend to agree with your I think it's just a case where Windows' algorithm for std::mt19937 is subtly different than the one for Linux.

The only other option would be to add the EXPECT_* stuff on one platform (like Linux). I suppose that would be better than nothing.

Here's what has me confused... You're using std::mt19937 which is a very specific random number algorithm and you're giving it the same seed. I don't think we *should* be getting different behavior from the random number generator across platforms. The issue is the call to std::shuffle (see https://en.cppreference.com/w/cpp/algorithm/random_shuffle#Notes), so I think using llvm::shuffle will fix all the tests on all the platforms.

Okay. So I'll make this change and submit it during a time when there isn't a lot of activity so that I can revert it if it fails without annoying too many people.

nickdesaulniers mentioned this in D123544: [randstruct] Automatically randomize a structure of function pointers.Apr 12 2022, 3:14 PM

Revision Contents

Path

Size

clang/

docs/

ReleaseNotes.rst

14 lines

include/

clang/

AST/

Decl.h

6 lines

DeclBase.h

6 lines

Randstruct.h

38 lines

Basic/

Attr.td

15 lines

AttrDocs.td

32 lines

DiagnosticDriverKinds.td

2 lines

DiagnosticSemaKinds.td

4 lines

LangOptions.h

3 lines

Driver/

Options.td

6 lines

lib/

AST/

CMakeLists.txt

1 line

Decl.cpp

8 lines

Randstruct.cpp

223 lines

Driver/

ToolChains/

Clang.cpp

8 lines

Frontend/

CompilerInvocation.cpp

17 lines

Sema/

SemaCast.cpp

17 lines

SemaDecl.cpp

13 lines

SemaDeclAttr.cpp

21 lines

test/

Misc/

pragma-attribute-supported-attributes-list.test

2 lines

unittests/

AST/

CMakeLists.txt

1 line

RandstructTest.cpp

424 lines

Diff 421754

clang/docs/ReleaseNotes.rst

	Show First 20 Lines • Show All 48 Lines • ▼ Show 20 Lines

	- Clang now supports the ``-fzero-call-used-regs`` feature for x86. The purpose			- Clang now supports the ``-fzero-call-used-regs`` feature for x86. The purpose
	of this feature is to limit Return-Oriented Programming (ROP) exploits and			of this feature is to limit Return-Oriented Programming (ROP) exploits and
	information leakage. It works by zeroing out a selected class of registers			information leakage. It works by zeroing out a selected class of registers
	before function return --- e.g., all GPRs that are used within the function.			before function return --- e.g., all GPRs that are used within the function.
	There is an analogous ``zero_call_used_regs`` attribute to allow for finer			There is an analogous ``zero_call_used_regs`` attribute to allow for finer
	control of this feature.			control of this feature.

				- Clang now supports randomizing structure layout in C. This feature is a
				compile-time hardening technique, making it more difficult for an attacker to
				retrieve data from structures. Specify randomization with the
				``randomize_layout`` attribute. The corresponding ``no_randomize_layout``
				attribute can be used to turn the feature off.

				A seed value is required to enable randomization, and is deterministic based
				on a seed value. Use the ``-frandomize-layout-seed=`` or
				``-frandomize-layout-seed-file=`` flags.

				.. note::

				Randomizing structure layout is a C-only feature.

	Bug Fixes			Bug Fixes
	------------------			------------------
	- ``CXXNewExpr::getArraySize()`` previously returned a ``llvm::Optional``			- ``CXXNewExpr::getArraySize()`` previously returned a ``llvm::Optional``
	wrapping a ``nullptr`` when the ``CXXNewExpr`` did not have an array			wrapping a ``nullptr`` when the ``CXXNewExpr`` did not have an array
	size expression. This was fixed and ``::getArraySize()`` will now always			size expression. This was fixed and ``::getArraySize()`` will now always
	either return ``None`` or a ``llvm::Optional`` wrapping a valid ``Expr*``.			either return ``None`` or a ``llvm::Optional`` wrapping a valid ``Expr*``.
	This fixes `Issue 53742 <https://github.com/llvm/llvm-project/issues/53742>`_.			This fixes `Issue 53742 <https://github.com/llvm/llvm-project/issues/53742>`_.
	- We now ignore full expressions when traversing cast subexpressions. This			- We now ignore full expressions when traversing cast subexpressions. This
	▲ Show 20 Lines • Show All 299 Lines • Show Last 20 Lines

clang/include/clang/AST/Decl.h

Show First 20 Lines • Show All 2,833 Lines • ▼ Show 20 Lines	public:
}		}
};		};

/// Represents a member of a struct/union/class.		/// Represents a member of a struct/union/class.
class FieldDecl : public DeclaratorDecl, public Mergeable<FieldDecl> {		class FieldDecl : public DeclaratorDecl, public Mergeable<FieldDecl> {
unsigned BitField : 1;		unsigned BitField : 1;
unsigned Mutable : 1;		unsigned Mutable : 1;
mutable unsigned CachedFieldIndex : 30;		mutable unsigned CachedFieldIndex : 30;

		aaron.ballmanUnsubmitted Done Reply Inline Actions It's unfortunate that every field node in the AST is now going to be 4 bytes larger for this feature; I worry about the extra memory pressure from the additional overhead, so if there's a way for us to save some space here, I think it might be worth it. (I'm worried that our max template instantiation depth will shrink because of this.) aaron.ballman: It's unfortunate that every field node in the AST is now going to be 4 bytes larger for this…
		voidAuthorUnsubmitted Done Reply Inline Actions Turns out this field wasn't used. I removed it. void: Turns out this field wasn't used. I removed it.
/// The kinds of value we can store in InitializerOrBitWidth.		/// The kinds of value we can store in InitializerOrBitWidth.
///		///
/// Note that this is compatible with InClassInitStyle except for		/// Note that this is compatible with InClassInitStyle except for
/// ISK_CapturedVLAType.		/// ISK_CapturedVLAType.
enum InitStorageKind {		enum InitStorageKind {
/// If the pointer is null, there's nothing special. Otherwise,		/// If the pointer is null, there's nothing special. Otherwise,
/// this is a bitfield and the pointer is the Expr* storing the		/// this is a bitfield and the pointer is the Expr* storing the
/// bit-width.		/// bit-width.
▲ Show 20 Lines • Show All 1,195 Lines • ▼ Show 20 Lines	public:
bool isParamDestroyedInCallee() const {		bool isParamDestroyedInCallee() const {
return RecordDeclBits.ParamDestroyedInCallee;		return RecordDeclBits.ParamDestroyedInCallee;
}		}

void setParamDestroyedInCallee(bool V) {		void setParamDestroyedInCallee(bool V) {
RecordDeclBits.ParamDestroyedInCallee = V;		RecordDeclBits.ParamDestroyedInCallee = V;
}		}

		bool isRandomized() const { return RecordDeclBits.IsRandomized; }

		void setIsRandomized(bool V) { RecordDeclBits.IsRandomized = V; }
		aaron.ballmanUnsubmitted Done Reply Inline Actions A setter that is marked `const` does not spark joy for me... Can we use friendship rather than mutability to solve this? aaron.ballman: A setter that is marked `const` does not spark joy for me... Can we use friendship rather than…
		voidAuthorUnsubmitted Done Reply Inline Actions It was done to prevent a `const_cast`. It looks like the other setters are non-const. I'll see if I can get around that. void: It was done to prevent a `const_cast`. It looks like the other setters are non-const. I'll see…

		void reorderFields(const SmallVectorImpl<Decl *> &Fields);

/// Determines whether this declaration represents the		/// Determines whether this declaration represents the
/// injected class name.		/// injected class name.
///		///
/// The injected class name in C++ is the name of the class that		/// The injected class name in C++ is the name of the class that
/// appears inside the class itself. For example:		/// appears inside the class itself. For example:
///		///
/// \code		/// \code
/// struct C {		/// struct C {
▲ Show 20 Lines • Show All 631 Lines • Show Last 20 Lines

clang/include/clang/AST/DeclBase.h

Show First 20 Lines • Show All 307 Lines • ▼ Show 20 Lines

protected:		protected:
friend class ASTDeclReader;		friend class ASTDeclReader;
friend class ASTDeclWriter;		friend class ASTDeclWriter;
friend class ASTNodeImporter;		friend class ASTNodeImporter;
friend class ASTReader;		friend class ASTReader;
friend class CXXClassMemberWrapper;		friend class CXXClassMemberWrapper;
friend class LinkageComputer;		friend class LinkageComputer;
		friend class RecordDecl;
template<typename decl_type> friend class Redeclarable;		template<typename decl_type> friend class Redeclarable;

/// Access - Used by C++ decls for the access specifier.		/// Access - Used by C++ decls for the access specifier.
// NOTE: VC++ treats enums as signed, avoid using the AccessSpecifier enum		// NOTE: VC++ treats enums as signed, avoid using the AccessSpecifier enum
unsigned Access : 2;		unsigned Access : 2;

/// Whether this declaration was loaded from an AST file.		/// Whether this declaration was loaded from an AST file.
unsigned FromASTFile : 1;		unsigned FromASTFile : 1;
▲ Show 20 Lines • Show All 1,211 Lines • ▼ Show 20 Lines	class RecordDeclBitfields {
uint64_t HasNonTrivialToPrimitiveDestructCUnion : 1;		uint64_t HasNonTrivialToPrimitiveDestructCUnion : 1;
uint64_t HasNonTrivialToPrimitiveCopyCUnion : 1;		uint64_t HasNonTrivialToPrimitiveCopyCUnion : 1;

/// Indicates whether this struct is destroyed in the callee.		/// Indicates whether this struct is destroyed in the callee.
uint64_t ParamDestroyedInCallee : 1;		uint64_t ParamDestroyedInCallee : 1;

/// Represents the way this type is passed to a function.		/// Represents the way this type is passed to a function.
uint64_t ArgPassingRestrictions : 2;		uint64_t ArgPassingRestrictions : 2;

		/// Indicates whether this struct has had its field layout randomized.
		uint64_t IsRandomized : 1;
};		};

/// Number of non-inherited bits in RecordDeclBitfields.		/// Number of non-inherited bits in RecordDeclBitfields.
enum { NumRecordDeclBits = 14 };		enum { NumRecordDeclBits = 15 };

/// Stores the bits used by OMPDeclareReductionDecl.		/// Stores the bits used by OMPDeclareReductionDecl.
/// If modified NumOMPDeclareReductionDeclBits and the accessor		/// If modified NumOMPDeclareReductionDeclBits and the accessor
/// methods in OMPDeclareReductionDecl should be updated appropriately.		/// methods in OMPDeclareReductionDecl should be updated appropriately.
class OMPDeclareReductionDeclBitfields {		class OMPDeclareReductionDeclBitfields {
friend class OMPDeclareReductionDecl;		friend class OMPDeclareReductionDecl;
/// For the bits in DeclContextBitfields		/// For the bits in DeclContextBitfields
uint64_t : NumDeclContextBits;		uint64_t : NumDeclContextBits;
▲ Show 20 Lines • Show All 1,102 Lines • Show Last 20 Lines

clang/include/clang/AST/Randstruct.h

This file was added.

//===- Randstruct.h - Interfact for structure randomization -------*- C++ -*-=//

// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.

// See https://llvm.org/LICENSE.txt for license information.

// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception

//===----------------------------------------------------------------------===//

// This file contains the interface for Clang's structure field layout

// randomization.

//===----------------------------------------------------------------------===//

#ifndef LLVM_CLANG_AST_RANDSTRUCT_H

#define LLVM_CLANG_AST_RANDSTRUCT_H

namespace llvm {

template <typename T> class ArrayRef;

template <typename T> class SmallVectorImpl;

class StringRef;

} // end namespace llvm

namespace clang {

class ASTContext;

class Decl;

class RecordDecl;

namespace randstruct {

bool randomizeStructureLayout(const ASTContext &Context, llvm::StringRef Name,

llvm::ArrayRef<Decl *> Fields,

llvm::SmallVectorImpl<Decl *> &FinalOrdering);

} // namespace randstruct

aaron.ballmanUnsubmitted

Done

Doing this with a global variable is unfortunate; it could make things harder when we multithread the frontend. Can we solve this without a global? (And if not, does this global need to be a ManagedStatic?)

aaron.ballman: Doing this with a global variable is unfortunate; it could make things harder when we…

voidAuthorUnsubmitted

Done

Maybe this could be moved to LangOpts?

void: Maybe this could be moved to `LangOpts`?

aaron.ballmanUnsubmitted

Done

That's a really good idea, let's go with that approach.

aaron.ballman: That's a really good idea, let's go with that approach.

} // namespace clang

aaron.ballmanUnsubmitted

Done

namespace randstruct {

- using llvm::SmallVectorImpl;

bool randomizeStructureLayout(const ASTContext &Context, llvm::StringRef Name,

llvm::ArrayRef<Decl *> Fields,

- SmallVectorImpl<Decl *> &FinalOrdering);

+ llvm::SmallVectorImpl<Decl *> &FinalOrdering);

} // namespace randstruct

Might as well be consistent with the other type names.

aaron.ballman: Might as well be consistent with the other type names.

#endif // LLVM_CLANG_AST_RANDSTRUCT_H

clang/include/clang/Basic/Attr.td

Show First 20 Lines • Show All 3,945 Lines • ▼ Show 20 Lines	def Error : InheritableAttr {
let Accessors = [Accessor<"isError", [GCC<"error">]>,		let Accessors = [Accessor<"isError", [GCC<"error">]>,
Accessor<"isWarning", [GCC<"warning">]>];		Accessor<"isWarning", [GCC<"warning">]>];
let Args = [StringArgument<"UserDiagnostic">];		let Args = [StringArgument<"UserDiagnostic">];
let Subjects = SubjectList<[Function], ErrorDiag>;		let Subjects = SubjectList<[Function], ErrorDiag>;
let Documentation = [ErrorAttrDocs];		let Documentation = [ErrorAttrDocs];
}		}

def HLSLNumThreads: InheritableAttr {		def HLSLNumThreads: InheritableAttr {
let Spellings = [Microsoft<"numthreads">];		let Spellings = [Microsoft<"numthreads">];
let Args = [IntArgument<"X">, IntArgument<"Y">, IntArgument<"Z">];		let Args = [IntArgument<"X">, IntArgument<"Y">, IntArgument<"Z">];
		aaron.ballmanUnsubmitted Done Reply Inline Actions Microsoft does not implement this `__declspec`, correct? If they don't, we shouldn't either (even if GCC does) unless there's a very good reason to do so. That's Microsoft's design space we're encroaching on. I'd also like to understand the justification for adding a new keyword for this. aaron.ballman: Microsoft does not implement this `__declspec`, correct? If they don't, we shouldn't either…
		voidAuthorUnsubmitted Done Reply Inline Actions Good point. I'll remove those. void: Good point. I'll remove those.
let Subjects = SubjectList<[HLSLEntry]>;		let Subjects = SubjectList<[HLSLEntry]>;
let LangOpts = [HLSL];		let LangOpts = [HLSL];
let Documentation = [NumThreadsDocs];		let Documentation = [NumThreadsDocs];
}		}

		def RandomizeLayout : InheritableAttr {
		let Spellings = [GCC<"randomize_layout">];
		let Subjects = SubjectList<[Record]>;
		let Documentation = [ClangRandomizeLayoutDocs];
		let LangOpts = [COnly];
		aaron.ballmanUnsubmitted Done Reply Inline Actions Same here. aaron.ballman: Same here.
		}

		def NoRandomizeLayout : InheritableAttr {
		let Spellings = [GCC<"no_randomize_layout">];
		let Subjects = SubjectList<[Record]>;
		let Documentation = [ClangRandomizeLayoutDocs];
		let LangOpts = [COnly];
		}
		def : MutualExclusions<[RandomizeLayout, NoRandomizeLayout]>;

clang/include/clang/Basic/AttrDocs.td

Show First 20 Lines • Show All 6,373 Lines • ▼ Show 20 Lines	def NumThreadsDocs : Documentation {
let Content = [{		let Content = [{
The ``numthreads`` attribute applies to HLSL shaders where explcit thread counts		The ``numthreads`` attribute applies to HLSL shaders where explcit thread counts
are required. The ``X``, ``Y``, and ``Z`` values provided to the attribute		are required. The ``X``, ``Y``, and ``Z`` values provided to the attribute
dictate the thread id. Total number of threads executed is ``X * Y * Z``.		dictate the thread id. Total number of threads executed is ``X * Y * Z``.

The full documentation is available here: https://docs.microsoft.com/en-us/windows/win32/direct3dhlsl/sm5-attributes-numthreads		The full documentation is available here: https://docs.microsoft.com/en-us/windows/win32/direct3dhlsl/sm5-attributes-numthreads
}];		}];
}		}

		def ClangRandomizeLayoutDocs : Documentation {
		let Category = DocCatDecl;
		let Heading = "randomize_layout, no_randomize_layout";
		let Content = [{
		The attribute ``randomize_layout``, when attached to a C structure, selects it
		for structure layout field randomization; a compile-time hardening technique. A
		"seed" value, is specified via the ``-frandomize-layout-seed=`` command line flag.
		aaron.ballmanUnsubmitted Not Done Reply Inline Actions I think it would help to explain the effects of this attribute in conjunction with structure packing techniques (the `packed` attribute and bit-fields) and whether any attempt is made to keep the structure packed or those fields together or not. I'd expect no such attempt is made, but people may want to know "attempts to pack this structure" and "randomize this structure layout" are not compatible. (We may want to diagnose in the case of seeing the `packed` attribute, in fact.) We should also be more clear that the seed specified does not have to be numeric in nature (from the file or when directly on the command line). aaron.ballman: I think it would help to explain the effects of this attribute in conjunction with structure…
		voidAuthorUnsubmitted Done Reply Inline Actions Having randomization and the `packed` attribute probably isn't the best option. I'll modify things to prevent that from happening. void: Having randomization and the `packed` attribute probably isn't the best option. I'll modify…
		For example:

		.. code-block:: bash

		SEED=`od -A n -t x8 -N 32 /dev/urandom \| tr -d ' \n'`
		make ... CFLAGS="-frandomize-layout-seed=$SEED" ...

		You can also supply the seed in a file with ``-frandomize-layout-seed-file=``.
		For example:

		.. code-block:: bash

		od -A n -t x8 -N 32 /dev/urandom \| tr -d ' \n' > /tmp/seed_file.txt
		make ... CFLAGS="-frandomize-layout-seed-file=/tmp/seed_file.txt" ...

		The randomization is deterministic based for a given seed, so the entire
		program should be compiled with the same seed, but keep the seed safe
		otherwise.

		The attribute ``no_randomize_layout``, when attached to a C structure,
		instructs the compiler that this structure should not have its field layout
		randomized.
		}];
		}

clang/include/clang/Basic/DiagnosticDriverKinds.td

	Show First 20 Lines • Show All 159 Lines • ▼ Show 20 Lines
	def err_drv_argument_only_allowed_with : Error<			def err_drv_argument_only_allowed_with : Error<
	"invalid argument '%0' only allowed with '%1'">;			"invalid argument '%0' only allowed with '%1'">;
	def err_drv_minws_unsupported_input_type : Error<			def err_drv_minws_unsupported_input_type : Error<
	"'-fminimize-whitespace' invalid for input of type %0">;			"'-fminimize-whitespace' invalid for input of type %0">;
	def err_drv_amdgpu_ieee_without_no_honor_nans : Error<			def err_drv_amdgpu_ieee_without_no_honor_nans : Error<
	"invalid argument '-mno-amdgpu-ieee' only allowed with relaxed NaN handling">;			"invalid argument '-mno-amdgpu-ieee' only allowed with relaxed NaN handling">;
	def err_drv_argument_not_allowed_with : Error<			def err_drv_argument_not_allowed_with : Error<
	"invalid argument '%0' not allowed with '%1'">;			"invalid argument '%0' not allowed with '%1'">;
				def err_drv_cannot_open_randomize_layout_seed_file : Error<
				"cannot read randomize layout seed file '%0'">;
	def err_drv_invalid_version_number : Error<			def err_drv_invalid_version_number : Error<
	"invalid version number in '%0'">;			"invalid version number in '%0'">;
	def err_drv_no_linker_llvm_support : Error<			def err_drv_no_linker_llvm_support : Error<
	"'%0': unable to pass LLVM bit-code files to linker">;			"'%0': unable to pass LLVM bit-code files to linker">;
	def err_drv_no_ast_support : Error<			def err_drv_no_ast_support : Error<
	"'%0': unable to use AST files with this tool">;			"'%0': unable to use AST files with this tool">;
	def err_drv_no_module_support : Error<			def err_drv_no_module_support : Error<
	"'%0': unable to use module files with this tool">;			"'%0': unable to use module files with this tool">;
	▲ Show 20 Lines • Show All 483 Lines • Show Last 20 Lines

clang/include/clang/Basic/DiagnosticSemaKinds.td

This file is larger than 256 KB, so syntax highlighting is disabled by default.

Show First 20 Lines • Show All 11,571 Lines • ▼ Show 20 Lines

// RISC-V builtin required extension warning

def err_riscv_builtin_requires_extension : Error<

"builtin requires at least one of the following extensions support to be enabled : %0">;

def err_riscv_builtin_invalid_lmul : Error<

"LMUL argument must be in the range [0,3] or [5,7]">;

def err_std_source_location_impl_not_found : Error<

"'std::source_location::__impl' was not found; it must be defined before '__builtin_source_location' is called">;

aaron.ballmanUnsubmitted

Done

// Layout randomization warning.

- def cast_from_randomized_struct : Error<

+ def err_cast_from_randomized_struct : Error<

"casting from randomized structure pointer type %0 to %1">;

aaron.ballman:

def err_std_source_location_impl_malformed : Error<

"'std::source_location::__impl' must be standard-layout and have only two 'const char *' fields '_M_file_name' and '_M_function_name', and two integral fields '_M_line' and '_M_column'">;

// HLSL Diagnostics

def err_hlsl_attr_unsupported_in_stage : Error<"attribute %0 is unsupported in %select{Pixel|Vertex|Geometry|Hull|Domain|Compute|Library|RayGeneration|Intersection|AnyHit|ClosestHit|Miss|Callable|Mesh|Amplification|Invalid}1 shaders, requires %2">;

def err_hlsl_numthreads_argument_oor : Error<"argument '%select{X|Y|Z}0' to numthreads attribute cannot exceed %1">;

def err_hlsl_numthreads_invalid : Error<"total number of threads cannot exceed %0">;

def err_hlsl_attribute_param_mismatch : Error<"%0 attribute parameters do not match the previous declaration">;

// Layout randomization warning.

def err_cast_from_randomized_struct : Error<

"casting from randomized structure pointer type %0 to %1">;

} // end of sema component.

clang/include/clang/Basic/LangOptions.h

Show First 20 Lines • Show All 439 Lines • ▼ Show 20 Lines	public:

/// Indicates whether the front-end is explicitly told that the		/// Indicates whether the front-end is explicitly told that the
/// input is a header file (i.e. -x c-header).		/// input is a header file (i.e. -x c-header).
bool IsHeaderFile = false;		bool IsHeaderFile = false;

/// The default stream kind used for HIP kernel launching.		/// The default stream kind used for HIP kernel launching.
GPUDefaultStreamKind GPUDefaultStream;		GPUDefaultStreamKind GPUDefaultStream;

		/// The seed used by the randomize structure layout feature.
		std::string RandstructSeed;

LangOptions();		LangOptions();

// Define accessors/mutators for language options of enumeration type.		// Define accessors/mutators for language options of enumeration type.
#define LANGOPT(Name, Bits, Default, Description)		#define LANGOPT(Name, Bits, Default, Description)
#define ENUM_LANGOPT(Name, Type, Bits, Default, Description) \		#define ENUM_LANGOPT(Name, Type, Bits, Default, Description) \
Type get##Name() const { return static_cast<Type>(Name); } \		Type get##Name() const { return static_cast<Type>(Name); } \
void set##Name(Type Value) { Name = static_cast<unsigned>(Value); }		void set##Name(Type Value) { Name = static_cast<unsigned>(Value); }
#include "clang/Basic/LangOptions.def"		#include "clang/Basic/LangOptions.def"
▲ Show 20 Lines • Show All 333 Lines • Show Last 20 Lines

clang/include/clang/Driver/Options.td

This file is larger than 256 KB, so syntax highlighting is disabled by default.

Show First 20 Lines • Show All 2,116 Lines • ▼ Show 20 Lines	def fmacro_backtrace_limit_EQ : Joined<["-"], "fmacro-backtrace-limit=">,
Group<f_Group>, Flags<[NoXarchOption, CoreOption]>;		Group<f_Group>, Flags<[NoXarchOption, CoreOption]>;
defm merge_all_constants : BoolFOption<"merge-all-constants",		defm merge_all_constants : BoolFOption<"merge-all-constants",
CodeGenOpts<"MergeAllConstants">, DefaultFalse,		CodeGenOpts<"MergeAllConstants">, DefaultFalse,
PosFlag<SetTrue, [CC1Option, CoreOption], "Allow">, NegFlag<SetFalse, [], "Disallow">,		PosFlag<SetTrue, [CC1Option, CoreOption], "Allow">, NegFlag<SetFalse, [], "Disallow">,
BothFlags<[], " merging of constants">>;		BothFlags<[], " merging of constants">>;
def fmessage_length_EQ : Joined<["-"], "fmessage-length=">, Group<f_Group>, Flags<[CC1Option]>,		def fmessage_length_EQ : Joined<["-"], "fmessage-length=">, Group<f_Group>, Flags<[CC1Option]>,
HelpText<"Format message diagnostics so that they fit within N columns">,		HelpText<"Format message diagnostics so that they fit within N columns">,
MarshallingInfoInt<DiagnosticOpts<"MessageLength">>;		MarshallingInfoInt<DiagnosticOpts<"MessageLength">>;
		def frandomize_layout_seed_EQ : Joined<["-"], "frandomize-layout-seed=">,
		MetaVarName<"<seed>">, Group<f_clang_Group>, Flags<[CC1Option]>,
		HelpText<"The seed used by the randomize structure layout feature">;
		def frandomize_layout_seed_file_EQ : Joined<["-"], "frandomize-layout-seed-file=">,
		MetaVarName<"<file>">, Group<f_clang_Group>, Flags<[CC1Option]>,
		HelpText<"File holding the seed used by the randomize structure layout feature">;
def fms_compatibility : Flag<["-"], "fms-compatibility">, Group<f_Group>, Flags<[CC1Option, CoreOption]>,		def fms_compatibility : Flag<["-"], "fms-compatibility">, Group<f_Group>, Flags<[CC1Option, CoreOption]>,
HelpText<"Enable full Microsoft Visual C++ compatibility">,		HelpText<"Enable full Microsoft Visual C++ compatibility">,
MarshallingInfoFlag<LangOpts<"MSVCCompat">>;		MarshallingInfoFlag<LangOpts<"MSVCCompat">>;
def fms_extensions : Flag<["-"], "fms-extensions">, Group<f_Group>, Flags<[CC1Option, CoreOption]>,		def fms_extensions : Flag<["-"], "fms-extensions">, Group<f_Group>, Flags<[CC1Option, CoreOption]>,
HelpText<"Accept some non-standard constructs supported by the Microsoft compiler">,		HelpText<"Accept some non-standard constructs supported by the Microsoft compiler">,
MarshallingInfoFlag<LangOpts<"MicrosoftExt">>, ImpliedByAnyOf<[fms_compatibility.KeyPath]>;		MarshallingInfoFlag<LangOpts<"MicrosoftExt">>, ImpliedByAnyOf<[fms_compatibility.KeyPath]>;
		aaron.ballmanUnsubmitted Done Reply Inline Actions You should condense these a bit to keep the style the same as the surrounding code. aaron.ballman: You should condense these a bit to keep the style the same as the surrounding code.
defm asm_blocks : BoolFOption<"asm-blocks",		defm asm_blocks : BoolFOption<"asm-blocks",
LangOpts<"AsmBlocks">, Default<fms_extensions.KeyPath>,		LangOpts<"AsmBlocks">, Default<fms_extensions.KeyPath>,
PosFlag<SetTrue, [CC1Option]>, NegFlag<SetFalse>>;		PosFlag<SetTrue, [CC1Option]>, NegFlag<SetFalse>>;
def fms_volatile : Flag<["-"], "fms-volatile">, Group<f_Group>, Flags<[CC1Option]>,		def fms_volatile : Flag<["-"], "fms-volatile">, Group<f_Group>, Flags<[CC1Option]>,
MarshallingInfoFlag<CodeGenOpts<"MSVolatile">>;		MarshallingInfoFlag<CodeGenOpts<"MSVolatile">>;
def fmsc_version : Joined<["-"], "fmsc-version=">, Group<f_Group>, Flags<[NoXarchOption, CoreOption]>,		def fmsc_version : Joined<["-"], "fmsc-version=">, Group<f_Group>, Flags<[NoXarchOption, CoreOption]>,
HelpText<"Microsoft compiler version number to report in _MSC_VER (0 = don't define it (default))">;		HelpText<"Microsoft compiler version number to report in _MSC_VER (0 = don't define it (default))">;
def fms_compatibility_version		def fms_compatibility_version
▲ Show 20 Lines • Show All 4,550 Lines • Show Last 20 Lines

clang/lib/AST/CMakeLists.txt

Show First 20 Lines • Show All 91 Lines • ▼ Show 20 Lines	add_clang_library(clangAST
NestedNameSpecifier.cpp		NestedNameSpecifier.cpp
NSAPI.cpp		NSAPI.cpp
ODRHash.cpp		ODRHash.cpp
OpenMPClause.cpp		OpenMPClause.cpp
OSLog.cpp		OSLog.cpp
ParentMap.cpp		ParentMap.cpp
PrintfFormatString.cpp		PrintfFormatString.cpp
QualTypeNames.cpp		QualTypeNames.cpp
		Randstruct.cpp
RawCommentList.cpp		RawCommentList.cpp
RecordLayout.cpp		RecordLayout.cpp
RecordLayoutBuilder.cpp		RecordLayoutBuilder.cpp
ScanfFormatString.cpp		ScanfFormatString.cpp
SelectorLocationsKind.cpp		SelectorLocationsKind.cpp
Stmt.cpp		Stmt.cpp
StmtCXX.cpp		StmtCXX.cpp
StmtIterator.cpp		StmtIterator.cpp
Show All 23 Lines

clang/lib/AST/Decl.cpp

Show All 24 Lines
#include "clang/AST/DeclTemplate.h"		#include "clang/AST/DeclTemplate.h"
#include "clang/AST/DeclarationName.h"		#include "clang/AST/DeclarationName.h"
#include "clang/AST/Expr.h"		#include "clang/AST/Expr.h"
#include "clang/AST/ExprCXX.h"		#include "clang/AST/ExprCXX.h"
#include "clang/AST/ExternalASTSource.h"		#include "clang/AST/ExternalASTSource.h"
#include "clang/AST/ODRHash.h"		#include "clang/AST/ODRHash.h"
#include "clang/AST/PrettyDeclStackTrace.h"		#include "clang/AST/PrettyDeclStackTrace.h"
#include "clang/AST/PrettyPrinter.h"		#include "clang/AST/PrettyPrinter.h"
		#include "clang/AST/Randstruct.h"
#include "clang/AST/Redeclarable.h"		#include "clang/AST/Redeclarable.h"
#include "clang/AST/Stmt.h"		#include "clang/AST/Stmt.h"
#include "clang/AST/TemplateBase.h"		#include "clang/AST/TemplateBase.h"
#include "clang/AST/Type.h"		#include "clang/AST/Type.h"
#include "clang/AST/TypeLoc.h"		#include "clang/AST/TypeLoc.h"
#include "clang/Basic/Builtins.h"		#include "clang/Basic/Builtins.h"
#include "clang/Basic/IdentifierTable.h"		#include "clang/Basic/IdentifierTable.h"
#include "clang/Basic/LLVM.h"		#include "clang/Basic/LLVM.h"
▲ Show 20 Lines • Show All 4,537 Lines • ▼ Show 20 Lines	RecordDecl::RecordDecl(Kind DK, TagKind TK, const ASTContext &C,
setNonTrivialToPrimitiveDefaultInitialize(false);		setNonTrivialToPrimitiveDefaultInitialize(false);
setNonTrivialToPrimitiveCopy(false);		setNonTrivialToPrimitiveCopy(false);
setNonTrivialToPrimitiveDestroy(false);		setNonTrivialToPrimitiveDestroy(false);
setHasNonTrivialToPrimitiveDefaultInitializeCUnion(false);		setHasNonTrivialToPrimitiveDefaultInitializeCUnion(false);
setHasNonTrivialToPrimitiveDestructCUnion(false);		setHasNonTrivialToPrimitiveDestructCUnion(false);
setHasNonTrivialToPrimitiveCopyCUnion(false);		setHasNonTrivialToPrimitiveCopyCUnion(false);
setParamDestroyedInCallee(false);		setParamDestroyedInCallee(false);
setArgPassingRestrictions(APK_CanPassInRegs);		setArgPassingRestrictions(APK_CanPassInRegs);
		setIsRandomized(false);
}		}

RecordDecl RecordDecl::Create(const ASTContext &C, TagKind TK, DeclContext DC,		RecordDecl RecordDecl::Create(const ASTContext &C, TagKind TK, DeclContext DC,
SourceLocation StartLoc, SourceLocation IdLoc,		SourceLocation StartLoc, SourceLocation IdLoc,
IdentifierInfo Id, RecordDecl PrevDecl) {		IdentifierInfo Id, RecordDecl PrevDecl) {
RecordDecl *R = new (C, DC) RecordDecl(Record, TK, C, DC,		RecordDecl *R = new (C, DC) RecordDecl(Record, TK, C, DC,
StartLoc, IdLoc, Id, PrevDecl);		StartLoc, IdLoc, Id, PrevDecl);
R->setMayHaveOutOfDateDef(C.getLangOpts().Modules);		R->setMayHaveOutOfDateDef(C.getLangOpts().Modules);
▲ Show 20 Lines • Show All 67 Lines • ▼ Show 20 Lines

/// isMsStruct - Get whether or not this record uses ms_struct layout.		/// isMsStruct - Get whether or not this record uses ms_struct layout.
/// This which can be turned on with an attribute, pragma, or the		/// This which can be turned on with an attribute, pragma, or the
/// -mms-bitfields command-line option.		/// -mms-bitfields command-line option.
bool RecordDecl::isMsStruct(const ASTContext &C) const {		bool RecordDecl::isMsStruct(const ASTContext &C) const {
return hasAttr<MSStructAttr>() \|\| C.getLangOpts().MSBitfields == 1;		return hasAttr<MSStructAttr>() \|\| C.getLangOpts().MSBitfields == 1;
}		}

		void RecordDecl::reorderFields(const SmallVectorImpl<Decl *> &Fields) {
		std::tie(FirstDecl, LastDecl) = DeclContext::BuildDeclChain(Fields, false);
		LastDecl->NextInContextAndBits.setPointer(nullptr);
		setIsRandomized(true);
		}

void RecordDecl::LoadFieldsFromExternalStorage() const {		void RecordDecl::LoadFieldsFromExternalStorage() const {
ExternalASTSource *Source = getASTContext().getExternalSource();		ExternalASTSource *Source = getASTContext().getExternalSource();
assert(hasExternalLexicalStorage() && Source && "No external storage?");		assert(hasExternalLexicalStorage() && Source && "No external storage?");

// Notify that we have a RecordDecl doing some initialization.		// Notify that we have a RecordDecl doing some initialization.
ExternalASTSource::Deserializing TheFields(Source);		ExternalASTSource::Deserializing TheFields(Source);

SmallVector<Decl*, 64> Decls;		SmallVector<Decl*, 64> Decls;
▲ Show 20 Lines • Show All 534 Lines • Show Last 20 Lines

clang/lib/AST/Randstruct.cpp

This file was added.

//===--- Randstruct.cpp ---------------------------------------------------===//

// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.

// See https://llvm.org/LICENSE.txt for license information.

// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception

//===----------------------------------------------------------------------===//

// This file contains the implementation for Clang's structure field layout

// randomization.

//===----------------------------------------------------------------------===//

#include "clang/AST/Randstruct.h"

#include "clang/AST/ASTContext.h"

#include "clang/AST/ASTDiagnostic.h"

#include "clang/AST/Attr.h"

#include "clang/Basic/Diagnostic.h"

#include "llvm/ADT/SmallVector.h"

#include <algorithm>

#include <random>

#include <set>

#include <sstream>

#include <string>

using clang::ASTContext;

using clang::FieldDecl;

using llvm::SmallVector;

namespace {

// FIXME: Replace this with some discovery once that mechanism exists.

enum { CACHE_LINE = 64 };

// The Bucket class holds the struct fields we're trying to fill to a

// cache-line.

class Bucket {

SmallVector<FieldDecl *, 64> Fields;

int Size = 0;

public:

virtual ~Bucket() = default;

SmallVector<FieldDecl *, 64> &fields() { return Fields; }

void addField(FieldDecl *Field, int FieldSize);

virtual bool canFit(int FieldSize) const {

return Size + FieldSize <= CACHE_LINE;

}

virtual bool isBitfieldRun() const { return false; }

bool full() const { return Size >= CACHE_LINE; }

};

void Bucket::addField(FieldDecl *Field, int FieldSize) {

Size += FieldSize;

Fields.push_back(Field);

}

struct BitfieldRunBucket : public Bucket {

bool canFit(int FieldSize) const override { return true; }

bool isBitfieldRun() const override { return true; }

};

void randomizeStructureLayoutImpl(const ASTContext &Context,

llvm::SmallVectorImpl<FieldDecl *> &FieldsOut,

std::mt19937 &RNG) {

// All of the Buckets produced by best-effort cache-line algorithm.

SmallVector<std::unique_ptr<Bucket>, 16> Buckets;

// The current bucket of fields that we are trying to fill to a cache-line.

std::unique_ptr<Bucket> CurrentBucket;

// The current bucket containing the run of adjacent bitfields to ensure they

aaron.ballmanUnsubmitted

Done

This size seems as defensible as most others; do you plan to do more here, or should this comment be removed?

aaron.ballman: This size seems as defensible as most others; do you plan to do more here, or should this…

voidAuthorUnsubmitted

Done

It's probably not worth looking into unless it becomes an issue. I'll remove it.

void: It's probably not worth looking into unless it becomes an issue. I'll remove it.

// remain adjacent.

std::unique_ptr<BitfieldRunBucket> CurrentBitfieldRun;

aaron.ballmanUnsubmitted

Done

// The current bucket of fields that we are trying to fill to a cache-line.

- std::unique_ptr<Bucket> CurrentBucket = nullptr;

+ std::unique_ptr<Bucket> CurrentBucket;

// The current bucket containing the run of adjacent bitfields to ensure they

// remain adjacent.

- std::unique_ptr<BitfieldRunBucket> CurrentBitfieldRun = nullptr;

+ std::unique_ptr<BitfieldRunBucket> CurrentBitfieldRun;

// Tracks the number of fields that we failed to fit to the current bucket,

Default ctor already does the right thing, so no need to do the initialization.

aaron.ballman: Default ctor already does the right thing, so no need to do the initialization.

// Tracks the number of fields that we failed to fit to the current bucket,

// and thus still need to be added later.

size_t Skipped = 0;

while (!FieldsOut.empty()) {

// If we've Skipped more fields than we have remaining to place, that means

// that they can't fit in our current bucket, and we need to start a new

// one.

if (Skipped >= FieldsOut.size()) {

Skipped = 0;

Buckets.push_back(std::move(CurrentBucket));

}

// Take the first field that needs to be put in a bucket.

auto FieldIter = FieldsOut.begin();

FieldDecl *FD = *FieldIter;

if (FD->isBitField() && !FD->isZeroLengthBitField(Context)) {

// Start a bitfield run if this is the first bitfield we have found.

if (!CurrentBitfieldRun)

CurrentBitfieldRun = std::make_unique<BitfieldRunBucket>();

// We've placed the field, and can remove it from the "awaiting Buckets"

// vector called "Fields."

aaron.ballmanUnsubmitted

Not Done

Oh cool, we do bit-field runs!

How should we handle anonymous bit-fields (if anything special should be done for them at all)? People usually use them for padding between bit-fields, so it's not clear to me how to treat them when randomizing.

aaron.ballman: Oh cool, we do bit-field runs! How should we handle anonymous bit-fields (if anything special…

voidAuthorUnsubmitted

Not Done

Good question! I'm not sure either. On one hand, I'm rather concerned about changing bitfield order in general, but it appears to be something that GCC's plugin does, so...

void: Good question! I'm not sure either. On one hand, I'm rather concerned about changing bitfield…

aaron.ballmanUnsubmitted

Not Done

Yeah, I was really surprised about bit-fields as well. I'm especially concerned that bit-fields which were [un]carefully straddling allocation unit boundaries might be rearranged such that subtle atomic bugs and whatnot will be exposed.

If we find these sort of concerns are valid in real world code, we may want to add a second command line option (off-by-default, perhaps) for enabling rearranging bit-fields. But for now, I think it's fine to follow GCC's lead here.

aaron.ballman: Yeah, I was really surprised about bit-fields as well. I'm especially concerned that bit-fields…

CurrentBitfieldRun->addField(FD, /*FieldSize is irrelevant here*/ 1);

FieldsOut.erase(FieldIter);

continue;

}

// Else, current field is not a bitfield. If we were previously in a

// bitfield run, end it.

if (CurrentBitfieldRun)

Buckets.push_back(std::move(CurrentBitfieldRun));

// If we don't have a bucket, make one.

if (!CurrentBucket)

CurrentBucket = std::make_unique<Bucket>();

uint64_t Width = Context.getTypeInfo(FD->getType()).Width;

if (Width >= CACHE_LINE) {

std::unique_ptr<Bucket> OverSized = std::make_unique<Bucket>();

OverSized->addField(FD, Width);

FieldsOut.erase(FieldIter);

Buckets.push_back(std::move(OverSized));

continue;

}

// If it fits, add it.

if (CurrentBucket->canFit(Width)) {

CurrentBucket->addField(FD, Width);

FieldsOut.erase(FieldIter);

// If it's now full, tie off the bucket.

if (CurrentBucket->full()) {

Skipped = 0;

Buckets.push_back(std::move(CurrentBucket));

}

} else {

// We can't fit it in our current bucket. Move to the end for processing

// later.

++Skipped; // Mark it skipped.

FieldsOut.push_back(FD);

FieldsOut.erase(FieldIter);

}

// Done processing the fields awaiting a bucket.

// If we were filling a bucket, tie it off.

if (CurrentBucket)

Buckets.push_back(std::move(CurrentBucket));

// If we were processing a bitfield run bucket, tie it off.

if (CurrentBitfieldRun)

Buckets.push_back(std::move(CurrentBitfieldRun));

std::shuffle(std::begin(Buckets), std::end(Buckets), RNG);

// Produce the new ordering of the elements from the Buckets.

SmallVector<FieldDecl *, 16> FinalOrder;

for (const std::unique_ptr<Bucket> &B : Buckets) {

MaskRayUnsubmitted

Not Done

// Produce the new ordering of the elements from the Buckets.

- SmallVector<FieldDecl *, 16> FinalOrder;

+ SmallVector<FieldDecl *> FinalOrder;

for (const std::unique_ptr<Bucket> &B : Buckets) {

MaskRay:

llvm::SmallVectorImpl<FieldDecl *> &RandFields = B->fields();

if (!B->isBitfieldRun())

std::shuffle(std::begin(RandFields), std::end(RandFields), RNG);

MaskRayUnsubmitted

Not Done

llvm::shuffle to avoid

MaskRay: `llvm::shuffle` to avoid

FinalOrder.insert(FinalOrder.end(), RandFields.begin(), RandFields.end());

}

FieldsOut = FinalOrder;

}

} // anonymous namespace

namespace clang {

namespace randstruct {

bool randomizeStructureLayout(const ASTContext &Context, StringRef Name,

ArrayRef<Decl *> Fields,

SmallVectorImpl<Decl *> &FinalOrdering) {

SmallVector<FieldDecl *, 64> RandomizedFields;

unsigned TotalNumFields = 0;

for (Decl *D : Fields) {

++TotalNumFields;

aaron.ballmanUnsubmitted

Done

This one seems a bit large to me; any reason not to use 16 again?

aaron.ballman: This one seems a bit large to me; any reason not to use `16` again?

voidAuthorUnsubmitted

Done

The code above looks to apply mostly to bitfield runs. This is for all fields in a structure. I assumed (without proof) that this will always be larger than the bitfield runs. :-)

void: The code above looks to apply mostly to bitfield runs. This is for all fields in a structure. I…

aaron.ballmanUnsubmitted

Done

I think that's a safe assumption and it's probably not worth worrying about overly much. It's more that 16 bit-fields seemed like it would be large enough to cover most bit-fields in a class while still being "small", but 64 fields seems likely to be way larger than most structures will need and isn't very small.

That said, I don't have a strong feeling here and I think the numbers are defensible unless we measure something that says otherwise.

aaron.ballman: I think that's a safe assumption and it's probably not worth worrying about overly much. It's…

if (auto *FD = dyn_cast<FieldDecl>(D))

RandomizedFields.push_back(FD);

else

FinalOrdering.push_back(D);

}

aaron.ballmanUnsubmitted

Done

++TotalNumFields;

- if (auto FD = dyn_cast<FieldDecl>(D)) {

+ if (auto *FD = dyn_cast<FieldDecl>(D)) {

FD->setOriginalFieldIndex(Index++);

aaron.ballman:

if (RandomizedFields.empty())

return false;

// Struct might end with a variable-length array or an array of size 0 or 1,

// in which case we don't want to randomize it.

FieldDecl *VLA = nullptr;

const auto *CA =

dyn_cast<ConstantArrayType>(RandomizedFields.back()->getType());

if ((CA && (CA->getSize().sle(2) || CA->isIncompleteArrayType())) ||

llvm::any_of(Fields, [](Decl *D) {

if (const FieldDecl *FD = dyn_cast<FieldDecl>(D)) {

const Type *FDTy = FD->getType().getTypePtr();

if (const RecordType *FDTTy = FDTy->getAs<RecordType>())

return FDTTy->getDecl()->hasFlexibleArrayMember();

}

return false;

}))

VLA = RandomizedFields.pop_back_val();

std::string Seed = (Context.getLangOpts().RandstructSeed + Name).str();

std::seed_seq SeedSeq(Seed.begin(), Seed.end());

std::mt19937 RNG(SeedSeq);

randomizeStructureLayoutImpl(Context, RandomizedFields, RNG);

if (VLA)

RandomizedFields.push_back(VLA);

FinalOrdering.insert(FinalOrdering.end(), RandomizedFields.begin(),

RandomizedFields.end());

assert(TotalNumFields == FinalOrdering.size() &&

"Decl count has been altered after Randstruct randomization!");

return true;

}

} // end namespace randstruct

} // end namespace clang

clang/lib/Driver/ToolChains/Clang.cpp

This file is larger than 256 KB, so syntax highlighting is disabled by default.

Show First 20 Lines • Show All 5,901 Lines • ▼ Show 20 Lines	if (Arg *A = Args.getLastArg(options::OPT_fmessage_length_EQ)) {
// If -fmessage-length=N was not specified, determine whether this is a		// If -fmessage-length=N was not specified, determine whether this is a
// terminal and, if so, implicitly define -fmessage-length appropriately.		// terminal and, if so, implicitly define -fmessage-length appropriately.
MessageLength = llvm::sys::Process::StandardErrColumns();		MessageLength = llvm::sys::Process::StandardErrColumns();
}		}
if (MessageLength != 0)		if (MessageLength != 0)
CmdArgs.push_back(		CmdArgs.push_back(
Args.MakeArgString("-fmessage-length=" + Twine(MessageLength)));		Args.MakeArgString("-fmessage-length=" + Twine(MessageLength)));

		if (Arg *A = Args.getLastArg(options::OPT_frandomize_layout_seed_EQ))
		CmdArgs.push_back(
		Args.MakeArgString("-frandomize-layout-seed=" + Twine(A->getValue(0))));
		MaskRayUnsubmitted Not Done Reply Inline Actions `A->render(Args, CmdArgs);` MaskRay: `A->render(Args, CmdArgs);`

		if (Arg *A = Args.getLastArg(options::OPT_frandomize_layout_seed_file_EQ))
		CmdArgs.push_back(Args.MakeArgString("-frandomize-layout-seed-file=" +
		MaskRayUnsubmitted Not Done Reply Inline Actions `A->render(Args, CmdArgs);` MaskRay: `A->render(Args, CmdArgs);`
		Twine(A->getValue(0))));

// -fvisibility= and -fvisibility-ms-compat are of a piece.		// -fvisibility= and -fvisibility-ms-compat are of a piece.
if (const Arg *A = Args.getLastArg(options::OPT_fvisibility_EQ,		if (const Arg *A = Args.getLastArg(options::OPT_fvisibility_EQ,
options::OPT_fvisibility_ms_compat)) {		options::OPT_fvisibility_ms_compat)) {
if (A->getOption().matches(options::OPT_fvisibility_EQ)) {		if (A->getOption().matches(options::OPT_fvisibility_EQ)) {
CmdArgs.push_back("-fvisibility");		CmdArgs.push_back("-fvisibility");
CmdArgs.push_back(A->getValue());		CmdArgs.push_back(A->getValue());
} else {		} else {
assert(A->getOption().matches(options::OPT_fvisibility_ms_compat));		assert(A->getOption().matches(options::OPT_fvisibility_ms_compat));
▲ Show 20 Lines • Show All 2,477 Lines • Show Last 20 Lines

clang/lib/Frontend/CompilerInvocation.cpp

Show First 20 Lines • Show All 88 Lines • ▼ Show 20 Lines
#include "llvm/Support/VirtualFileSystem.h"		#include "llvm/Support/VirtualFileSystem.h"
#include "llvm/Support/raw_ostream.h"		#include "llvm/Support/raw_ostream.h"
#include "llvm/Target/TargetOptions.h"		#include "llvm/Target/TargetOptions.h"
#include <algorithm>		#include <algorithm>
#include <atomic>		#include <atomic>
#include <cassert>		#include <cassert>
#include <cstddef>		#include <cstddef>
#include <cstring>		#include <cstring>
		#include <fstream>
#include <memory>		#include <memory>
#include <string>		#include <string>
#include <tuple>		#include <tuple>
#include <type_traits>		#include <type_traits>
#include <utility>		#include <utility>
#include <vector>		#include <vector>

using namespace clang;		using namespace clang;
▲ Show 20 Lines • Show All 3,575 Lines • ▼ Show 20 Lines	#undef LANG_OPTION_WITH_MARSHALLING

if (Opts.RelativeCXXABIVTables)		if (Opts.RelativeCXXABIVTables)
GenerateArg(Args, OPT_fexperimental_relative_cxx_abi_vtables, SA);		GenerateArg(Args, OPT_fexperimental_relative_cxx_abi_vtables, SA);
else		else
GenerateArg(Args, OPT_fno_experimental_relative_cxx_abi_vtables, SA);		GenerateArg(Args, OPT_fno_experimental_relative_cxx_abi_vtables, SA);

for (const auto &MP : Opts.MacroPrefixMap)		for (const auto &MP : Opts.MacroPrefixMap)
GenerateArg(Args, OPT_fmacro_prefix_map_EQ, MP.first + "=" + MP.second, SA);		GenerateArg(Args, OPT_fmacro_prefix_map_EQ, MP.first + "=" + MP.second, SA);

		if (!Opts.RandstructSeed.empty())
		GenerateArg(Args, OPT_frandomize_layout_seed_EQ, Opts.RandstructSeed, SA);
}		}

bool CompilerInvocation::ParseLangArgs(LangOptions &Opts, ArgList &Args,		bool CompilerInvocation::ParseLangArgs(LangOptions &Opts, ArgList &Args,
InputKind IK, const llvm::Triple &T,		InputKind IK, const llvm::Triple &T,
std::vector<std::string> &Includes,		std::vector<std::string> &Includes,
DiagnosticsEngine &Diags) {		DiagnosticsEngine &Diags) {
unsigned NumErrorsBefore = Diags.getNumErrors();		unsigned NumErrorsBefore = Diags.getNumErrors();

▲ Show 20 Lines • Show All 536 Lines • ▼ Show 20 Lines	#undef LANG_OPTION_WITH_MARSHALLING

// Error if -mvscale-min is unbounded.		// Error if -mvscale-min is unbounded.
if (Arg *A = Args.getLastArg(options::OPT_mvscale_min_EQ)) {		if (Arg *A = Args.getLastArg(options::OPT_mvscale_min_EQ)) {
unsigned VScaleMin;		unsigned VScaleMin;
if (StringRef(A->getValue()).getAsInteger(10, VScaleMin) \|\| VScaleMin == 0)		if (StringRef(A->getValue()).getAsInteger(10, VScaleMin) \|\| VScaleMin == 0)
Diags.Report(diag::err_cc1_unbounded_vscale_min);		Diags.Report(diag::err_cc1_unbounded_vscale_min);
}		}

		if (const Arg *A = Args.getLastArg(OPT_frandomize_layout_seed_file_EQ)) {
		MaskRayUnsubmitted Not Done Reply Inline Actions Why is -frandomize-layout-seed-file= needed? Can't the user use something like -frandomize-layout-seed=$(<file) ? Or backquotes for POSIX sh compatibility? The impl uses the very uncommon header <fstream>. MaskRay: Why is -frandomize-layout-seed-file= needed? Can't the user use something like -frandomize…
		voidAuthorUnsubmitted Done Reply Inline Actions That seems a bit clunky to me. If you don't like it, I can just remove the option entirely. Wish you would have mentioned these concerns earlier...like in the several weeks this has been in review. The `fstream` header is used in other places. If there's a better alternative, please suggest one. void: That seems a bit clunky to me. If you don't like it, I can just remove the option entirely.
		MaskRayUnsubmitted Not Done Reply Inline Actions I was a subscriber only vaguely aware of this patch and mostly absent in the past 2 weeks on trips (which meant I spent really little time on reading patches) :) I just hope that every option added is useful. A thing that is not so necessarily can be delayed until it is actually needed. Just noticed that there is test coverage gap that the cc1 options are completely untested. There are unit tests, but no lit test. MaskRay: I was a subscriber only vaguely aware of this patch and mostly absent in the past 2 weeks on…
		aaron.ballmanUnsubmitted Not Done Reply Inline Actions I just hope that every option added is useful. A thing that is not so necessarily can be delayed until it is actually needed. I think this option is useful. Windows' cmd.exe doesn't make it particularly trivial to pipe contents to an argument in a command line, but also, IDEs don't always make it obvious how you would pipe the seed content into a file either. I don't see an issue with using `fstream` either; we use it when necessary. aaron.ballman: > I just hope that every option added is useful. A thing that is not so necessarily can be…
		MaskRayUnsubmitted Not Done Reply Inline Actions Ah, LG! Just need some tests for the two -f -cc1 options. MaskRay: Ah, LG! Just need some tests for the two -f -cc1 options.
		std::ifstream SeedFile(A->getValue(0));

		if (!SeedFile.is_open())
		Diags.Report(diag::err_drv_cannot_open_randomize_layout_seed_file)
		<< A->getValue(0);

		std::getline(SeedFile, Opts.RandstructSeed);
		}

		if (const Arg *A = Args.getLastArg(OPT_frandomize_layout_seed_EQ))
		Opts.RandstructSeed = A->getValue(0);

return Diags.getNumErrors() == NumErrorsBefore;		return Diags.getNumErrors() == NumErrorsBefore;
}		}

static bool isStrictlyPreprocessorAction(frontend::ActionKind Action) {		static bool isStrictlyPreprocessorAction(frontend::ActionKind Action) {
switch (Action) {		switch (Action) {
case frontend::ASTDeclList:		case frontend::ASTDeclList:
case frontend::ASTDump:		case frontend::ASTDump:
case frontend::ASTPrint:		case frontend::ASTPrint:
▲ Show 20 Lines • Show All 575 Lines • Show Last 20 Lines

clang/lib/Sema/SemaCast.cpp

Show First 20 Lines • Show All 3,123 Lines • ▼ Show 20 Lines	else if (!Self.CheckObjCARCUnavailableWeakConversion(DestType, SrcType)) {
return;		return;
}		}
}		}

if (!checkCastFunctionType(Self, SrcExpr, DestType))		if (!checkCastFunctionType(Self, SrcExpr, DestType))
Self.Diag(OpRange.getBegin(), diag::warn_cast_function_type)		Self.Diag(OpRange.getBegin(), diag::warn_cast_function_type)
<< SrcType << DestType << OpRange;		<< SrcType << DestType << OpRange;

		if (isa<PointerType>(SrcType) && isa<PointerType>(DestType)) {
		QualType SrcTy = cast<PointerType>(SrcType)->getPointeeType();
		QualType DestTy = cast<PointerType>(DestType)->getPointeeType();

		const RecordDecl *SrcRD = SrcTy->getAsRecordDecl();
		const RecordDecl *DestRD = DestTy->getAsRecordDecl();

		if (SrcRD && DestRD && SrcRD->hasAttr<RandomizeLayoutAttr>() &&
		SrcRD != DestRD) {
		// The struct we are casting the pointer from was randomized.
		Self.Diag(OpRange.getBegin(), diag::err_cast_from_randomized_struct)
		<< SrcType << DestType;
		SrcExpr = ExprError();
		return;
		}
		}

DiagnoseCastOfObjCSEL(Self, SrcExpr, DestType);		DiagnoseCastOfObjCSEL(Self, SrcExpr, DestType);
DiagnoseCallingConvCast(Self, SrcExpr, DestType, OpRange);		DiagnoseCallingConvCast(Self, SrcExpr, DestType, OpRange);
DiagnoseBadFunctionCast(Self, SrcExpr, DestType);		DiagnoseBadFunctionCast(Self, SrcExpr, DestType);
Kind = Self.PrepareScalarCast(SrcExpr, DestType);		Kind = Self.PrepareScalarCast(SrcExpr, DestType);
if (SrcExpr.isInvalid())		if (SrcExpr.isInvalid())
return;		return;

if (Kind == CK_BitCast)		if (Kind == CK_BitCast)
▲ Show 20 Lines • Show All 132 Lines • Show Last 20 Lines

clang/lib/Sema/SemaDecl.cpp

This file is larger than 256 KB, so syntax highlighting is disabled by default.

Show All 18 Lines

#include "clang/AST/CommentDiagnostic.h" #include "clang/AST/CommentDiagnostic.h"

#include "clang/AST/DeclCXX.h" #include "clang/AST/DeclCXX.h"

#include "clang/AST/DeclObjC.h" #include "clang/AST/DeclObjC.h"

#include "clang/AST/DeclTemplate.h" #include "clang/AST/DeclTemplate.h"

#include "clang/AST/EvaluatedExprVisitor.h" #include "clang/AST/EvaluatedExprVisitor.h"

#include "clang/AST/Expr.h" #include "clang/AST/Expr.h"

#include "clang/AST/ExprCXX.h" #include "clang/AST/ExprCXX.h"

#include "clang/AST/NonTrivialTypeVisitor.h" #include "clang/AST/NonTrivialTypeVisitor.h"

#include "clang/AST/Randstruct.h"

aaron.ballmanUnsubmitted

Done

Is this include necessary?

aaron.ballman: Is this include necessary?

voidAuthorUnsubmitted

Done

Yes. There's a call to randstruct::randomizeStructureLayout below.

void: Yes. There's a call to `randstruct::randomizeStructureLayout` below.

aaron.ballmanUnsubmitted

Not Done

Oh derp, I missed that. :-)

aaron.ballman: Oh derp, I missed that. :-)

#include "clang/AST/StmtCXX.h" #include "clang/AST/StmtCXX.h"

#include "clang/Basic/Builtins.h" #include "clang/Basic/Builtins.h"

#include "clang/Basic/PartialDiagnostic.h" #include "clang/Basic/PartialDiagnostic.h"

#include "clang/Basic/SourceManager.h" #include "clang/Basic/SourceManager.h"

#include "clang/Basic/TargetInfo.h" #include "clang/Basic/TargetInfo.h"

#include "clang/Lex/HeaderSearch.h" // TODO: Sema shouldn't depend on Lex #include "clang/Lex/HeaderSearch.h" // TODO: Sema shouldn't depend on Lex

#include "clang/Lex/Lexer.h" // TODO: Extract static functions to fix layering. #include "clang/Lex/Lexer.h" // TODO: Extract static functions to fix layering.

#include "clang/Lex/ModuleLoader.h" // TODO: Sema shouldn't depend on Lex #include "clang/Lex/ModuleLoader.h" // TODO: Sema shouldn't depend on Lex

▲ Show 20 Lines • Show All 17,928 Lines • ▼ Show 20 Lines if (Record) {

} }

if (!Completed) if (!Completed)

Record->completeDefinition(); Record->completeDefinition();

// Handle attributes before checking the layout. // Handle attributes before checking the layout.

ProcessDeclAttributeList(S, Record, Attrs); ProcessDeclAttributeList(S, Record, Attrs);

// Maybe randomize the field order.

if (!getLangOpts().CPlusPlus && Record->hasAttr<RandomizeLayoutAttr>() &&

!Record->isUnion() && !getLangOpts().RandstructSeed.empty() &&

!Record->isRandomized()) {

SmallVector<Decl *, 32> OrigFieldOrdering(Record->fields());

MaskRayUnsubmitted

Not Done

!Record->isRandomized()) {

- SmallVector<Decl *, 32> OrigFieldOrdering(Record->fields());

+ SmallVector<Decl *> OrigFieldOrdering(Record->fields());

SmallVector<Decl *, 32> NewFieldOrdering;

32 may be too large. Consider the default inlined number of elements (fit the vector in 64 bytes).

MaskRay: 32 may be too large. Consider the default inlined number of elements (fit the vector in 64…

voidAuthorUnsubmitted

Done

Linux has many structures with far more fields. In fact, it's probably not useful to randomize structures with a small number of fields.

void: Linux has many structures with far more fields. In fact, it's probably not useful to randomize…

SmallVector<Decl *, 32> NewFieldOrdering;

if (randstruct::randomizeStructureLayout(

Context, Record->getNameAsString(), OrigFieldOrdering,

NewFieldOrdering))

Record->reorderFields(NewFieldOrdering);

}

// We may have deferred checking for a deleted destructor. Check now. // We may have deferred checking for a deleted destructor. Check now.

if (CXXRecord) { if (CXXRecord) {

auto *Dtor = CXXRecord->getDestructor(); auto *Dtor = CXXRecord->getDestructor();

if (Dtor && Dtor->isImplicit() && if (Dtor && Dtor->isImplicit() &&

ShouldDeleteSpecialMember(Dtor, CXXDestructor)) { ShouldDeleteSpecialMember(Dtor, CXXDestructor)) {

CXXRecord->setImplicitDestructorIsDeleted(); CXXRecord->setImplicitDestructorIsDeleted();

SetDeclDeleted(Dtor, CXXRecord->getLocation()); SetDeclDeleted(Dtor, CXXRecord->getLocation());

} }

▲ Show 20 Lines • Show All 1,017 Lines • Show Last 20 Lines

clang/lib/Sema/SemaDeclAttr.cpp

This file is larger than 256 KB, so syntax highlighting is disabled by default.

Show First 20 Lines • Show All 5,115 Lines • ▼ Show 20 Lines	if (AL.getKind() == ParsedAttr::AT_Owner) {
}		}
for (Decl *Redecl : D->redecls()) {		for (Decl *Redecl : D->redecls()) {
Redecl->addAttr(::new (S.Context)		Redecl->addAttr(::new (S.Context)
PointerAttr(S.Context, AL, DerefTypeLoc));		PointerAttr(S.Context, AL, DerefTypeLoc));
}		}
}		}
}		}

		static void handleRandomizeLayoutAttr(Sema &S, Decl *D, const ParsedAttr &AL) {
		if (checkAttrMutualExclusion<NoRandomizeLayoutAttr>(S, D, AL))
		return;
		if (!D->hasAttr<RandomizeLayoutAttr>())
		D->addAttr(::new (S.Context) RandomizeLayoutAttr(S.Context, AL));
		}

		static void handleNoRandomizeLayoutAttr(Sema &S, Decl *D,
		const ParsedAttr &AL) {
		if (checkAttrMutualExclusion<RandomizeLayoutAttr>(S, D, AL))
		return;
		if (!D->hasAttr<NoRandomizeLayoutAttr>())
		D->addAttr(::new (S.Context) NoRandomizeLayoutAttr(S.Context, AL));
		}

bool Sema::CheckCallingConvAttr(const ParsedAttr &Attrs, CallingConv &CC,		bool Sema::CheckCallingConvAttr(const ParsedAttr &Attrs, CallingConv &CC,
const FunctionDecl *FD) {		const FunctionDecl *FD) {
if (Attrs.isInvalid())		if (Attrs.isInvalid())
return true;		return true;

if (Attrs.hasProcessingCache()) {		if (Attrs.hasProcessingCache()) {
CC = (CallingConv) Attrs.getProcessingCache();		CC = (CallingConv) Attrs.getProcessingCache();
return false;		return false;
▲ Show 20 Lines • Show All 3,498 Lines • ▼ Show 20 Lines	case ParsedAttr::AT_Packed:
handlePackedAttr(S, D, AL);		handlePackedAttr(S, D, AL);
break;		break;
case ParsedAttr::AT_PreferredName:		case ParsedAttr::AT_PreferredName:
handlePreferredName(S, D, AL);		handlePreferredName(S, D, AL);
break;		break;
case ParsedAttr::AT_Section:		case ParsedAttr::AT_Section:
handleSectionAttr(S, D, AL);		handleSectionAttr(S, D, AL);
break;		break;
		case ParsedAttr::AT_RandomizeLayout:
		handleRandomizeLayoutAttr(S, D, AL);
		break;
		case ParsedAttr::AT_NoRandomizeLayout:
		handleNoRandomizeLayoutAttr(S, D, AL);
		break;
case ParsedAttr::AT_CodeSeg:		case ParsedAttr::AT_CodeSeg:
		aaron.ballmanUnsubmitted Not Done Reply Inline Actions I don't think this is sufficient. Consider redeclaration merging cases: struct [[gnu::randomize_layout]] S; struct [[gnu::no_randomize_layout]] S {}; struct [[gnu::no_randomize_layout]] T; struct [[gnu::randomize_layout]] T {}; I think if the user accidentally does something like this, it should be diagnosed. I would have assumed this would warrant an error diagnostic because the user is obviously confused as to what they want, but it seems GCC ignores the subsequent diagnostic with a warning: https://godbolt.org/z/1q8dazYPW. There's also the "confused attribute list" case which GCC just... does... things... with: https://godbolt.org/z/rnfsn7hG1. I think we want to behave more consistently with how we treat these cases. Either way, we shouldn't be silent. aaron.ballman: I don't think this is sufficient. Consider redeclaration merging cases: ``` struct [[gnu…
		voidAuthorUnsubmitted Done Reply Inline Actions The GCC feature is done via a plugin in Linux. So godbolt probably won't work in this case. I'll check to see how GCC responds to these attribute situations. void: The GCC feature is done via a plugin in Linux. So godbolt probably won't work in this case.
		aaron.ballmanUnsubmitted Not Done Reply Inline Actions Thoughts on this? aaron.ballman: Thoughts on this?
		voidAuthorUnsubmitted Done Reply Inline Actions Okay, finally tested it with the GCC plugin. It doesn't produce a diagnostic. I'm not sure if that's the correct behavior, but at least it matches. How is such a thing handled with similar attributes? void: Okay, finally tested it with the GCC plugin. It doesn't produce a diagnostic. I'm not sure if…
		aaron.ballmanUnsubmitted Not Done Reply Inline Actions Okay, finally tested it with the GCC plugin. It doesn't produce a diagnostic. I'm not sure if that's the correct behavior, but at least it matches. How is such a thing handled with similar attributes? As you might be unsurprised to learn: inconsistently. :-D However, we typically try to make attributes mutually exclusive (e.g., `hot` and `cold`, `global` and `device`, etc). Unfortunately, I gave you some advice earlier to combine into one semantic attribute and that may have been less-than-awesome advice. Attr.td supports the ability to trivially define to attributes as mutually exclusive (e.g., `def : MutualExclusions<[Hot, Cold]>;` but this works on the attribute level and not the spelling level. It's probably easier for you to split the definition back into two attributes in Attr.td and just use the `MutualExclusions` support we already have. Sorry for that churn! If you wanted to (and I certainly don't insist), another option would be to modify ClangAttrEmitter.cpp and Attr.td to support mutual exclusion syntax on the spelling level, so you could do something like: def : MutualExclusions<[ RandomizeLayout<GCC<"randomize_layout">>, RandomizeLayout<GCC<"no_randomize_layout">> ]>; where you specify the attribute and the spelling, then you could leave `RandomizeLayout` as a single semantic spelling. But again, I don't insist. aaron.ballman: > Okay, finally tested it with the GCC plugin. It doesn't produce a diagnostic. I'm not sure if…
handleCodeSegAttr(S, D, AL);		handleCodeSegAttr(S, D, AL);
break;		break;
case ParsedAttr::AT_Target:		case ParsedAttr::AT_Target:
handleTargetAttr(S, D, AL);		handleTargetAttr(S, D, AL);
break;		break;
case ParsedAttr::AT_TargetClones:		case ParsedAttr::AT_TargetClones:
handleTargetClonesAttr(S, D, AL);		handleTargetClonesAttr(S, D, AL);
break;		break;
▲ Show 20 Lines • Show All 704 Lines • Show Last 20 Lines

clang/test/Misc/pragma-attribute-supported-attributes-list.test

	Show First 20 Lines • Show All 98 Lines • ▼ Show 20 Lines
	// CHECK-NEXT: NoDuplicate (SubjectMatchRule_function)			// CHECK-NEXT: NoDuplicate (SubjectMatchRule_function)
	// CHECK-NEXT: NoEscape (SubjectMatchRule_variable_is_parameter)			// CHECK-NEXT: NoEscape (SubjectMatchRule_variable_is_parameter)
	// CHECK-NEXT: NoInline (SubjectMatchRule_function)			// CHECK-NEXT: NoInline (SubjectMatchRule_function)
	// CHECK-NEXT: NoInstrumentFunction (SubjectMatchRule_function, SubjectMatchRule_objc_method)			// CHECK-NEXT: NoInstrumentFunction (SubjectMatchRule_function, SubjectMatchRule_objc_method)
	// CHECK-NEXT: NoMerge (SubjectMatchRule_function)			// CHECK-NEXT: NoMerge (SubjectMatchRule_function)
	// CHECK-NEXT: NoMicroMips (SubjectMatchRule_function)			// CHECK-NEXT: NoMicroMips (SubjectMatchRule_function)
	// CHECK-NEXT: NoMips16 (SubjectMatchRule_function)			// CHECK-NEXT: NoMips16 (SubjectMatchRule_function)
	// CHECK-NEXT: NoProfileFunction (SubjectMatchRule_function)			// CHECK-NEXT: NoProfileFunction (SubjectMatchRule_function)
				// CHECK-NEXT: NoRandomizeLayout (SubjectMatchRule_record)
	// CHECK-NEXT: NoSanitize (SubjectMatchRule_function, SubjectMatchRule_objc_method, SubjectMatchRule_variable_is_global)			// CHECK-NEXT: NoSanitize (SubjectMatchRule_function, SubjectMatchRule_objc_method, SubjectMatchRule_variable_is_global)
	// CHECK-NEXT: NoSanitizeSpecific (SubjectMatchRule_function, SubjectMatchRule_variable_is_global)			// CHECK-NEXT: NoSanitizeSpecific (SubjectMatchRule_function, SubjectMatchRule_variable_is_global)
	// CHECK-NEXT: NoSpeculativeLoadHardening (SubjectMatchRule_function, SubjectMatchRule_objc_method)			// CHECK-NEXT: NoSpeculativeLoadHardening (SubjectMatchRule_function, SubjectMatchRule_objc_method)
	// CHECK-NEXT: NoSplitStack (SubjectMatchRule_function)			// CHECK-NEXT: NoSplitStack (SubjectMatchRule_function)
	// CHECK-NEXT: NoStackProtector (SubjectMatchRule_function)			// CHECK-NEXT: NoStackProtector (SubjectMatchRule_function)
	// CHECK-NEXT: NoThreadSafetyAnalysis (SubjectMatchRule_function)			// CHECK-NEXT: NoThreadSafetyAnalysis (SubjectMatchRule_function)
	// CHECK-NEXT: NoThrow (SubjectMatchRule_hasType_functionType)			// CHECK-NEXT: NoThrow (SubjectMatchRule_hasType_functionType)
	// CHECK-NEXT: NotTailCalled (SubjectMatchRule_function)			// CHECK-NEXT: NotTailCalled (SubjectMatchRule_function)
	Show All 28 Lines
	// CHECK-NEXT: OpenCLNoSVM (SubjectMatchRule_variable)			// CHECK-NEXT: OpenCLNoSVM (SubjectMatchRule_variable)
	// CHECK-NEXT: OptimizeNone (SubjectMatchRule_function, SubjectMatchRule_objc_method)			// CHECK-NEXT: OptimizeNone (SubjectMatchRule_function, SubjectMatchRule_objc_method)
	// CHECK-NEXT: Overloadable (SubjectMatchRule_function)			// CHECK-NEXT: Overloadable (SubjectMatchRule_function)
	// CHECK-NEXT: Owner (SubjectMatchRule_record_not_is_union)			// CHECK-NEXT: Owner (SubjectMatchRule_record_not_is_union)
	// CHECK-NEXT: ParamTypestate (SubjectMatchRule_variable_is_parameter)			// CHECK-NEXT: ParamTypestate (SubjectMatchRule_variable_is_parameter)
	// CHECK-NEXT: PassObjectSize (SubjectMatchRule_variable_is_parameter)			// CHECK-NEXT: PassObjectSize (SubjectMatchRule_variable_is_parameter)
	// CHECK-NEXT: PatchableFunctionEntry (SubjectMatchRule_function, SubjectMatchRule_objc_method)			// CHECK-NEXT: PatchableFunctionEntry (SubjectMatchRule_function, SubjectMatchRule_objc_method)
	// CHECK-NEXT: Pointer (SubjectMatchRule_record_not_is_union)			// CHECK-NEXT: Pointer (SubjectMatchRule_record_not_is_union)
				// CHECK-NEXT: RandomizeLayout (SubjectMatchRule_record)
	// CHECK-NEXT: ReleaseHandle (SubjectMatchRule_variable_is_parameter)			// CHECK-NEXT: ReleaseHandle (SubjectMatchRule_variable_is_parameter)
	// CHECK-NEXT: RenderScriptKernel (SubjectMatchRule_function)			// CHECK-NEXT: RenderScriptKernel (SubjectMatchRule_function)
	// CHECK-NEXT: ReqdWorkGroupSize (SubjectMatchRule_function)			// CHECK-NEXT: ReqdWorkGroupSize (SubjectMatchRule_function)
	// CHECK-NEXT: Restrict (SubjectMatchRule_function)			// CHECK-NEXT: Restrict (SubjectMatchRule_function)
	// CHECK-NEXT: ReturnTypestate (SubjectMatchRule_function, SubjectMatchRule_variable_is_parameter)			// CHECK-NEXT: ReturnTypestate (SubjectMatchRule_function, SubjectMatchRule_variable_is_parameter)
	// CHECK-NEXT: ReturnsNonNull (SubjectMatchRule_objc_method, SubjectMatchRule_function)			// CHECK-NEXT: ReturnsNonNull (SubjectMatchRule_objc_method, SubjectMatchRule_function)
	// CHECK-NEXT: ReturnsTwice (SubjectMatchRule_function)			// CHECK-NEXT: ReturnsTwice (SubjectMatchRule_function)
	// CHECK-NEXT: SYCLSpecialClass (SubjectMatchRule_record)			// CHECK-NEXT: SYCLSpecialClass (SubjectMatchRule_record)
	Show All 38 Lines

clang/unittests/AST/CMakeLists.txt

Show All 19 Lines	add_clang_unittest(ASTTests
CommentParser.cpp		CommentParser.cpp
CommentTextTest.cpp		CommentTextTest.cpp
DataCollectionTest.cpp		DataCollectionTest.cpp
DeclPrinterTest.cpp		DeclPrinterTest.cpp
DeclTest.cpp		DeclTest.cpp
EvaluateAsRValueTest.cpp		EvaluateAsRValueTest.cpp
ExternalASTSourceTest.cpp		ExternalASTSourceTest.cpp
NamedDeclPrinterTest.cpp		NamedDeclPrinterTest.cpp
		RandstructTest.cpp
RecursiveASTVisitorTest.cpp		RecursiveASTVisitorTest.cpp
SizelessTypesTest.cpp		SizelessTypesTest.cpp
SourceLocationTest.cpp		SourceLocationTest.cpp
StmtPrinterTest.cpp		StmtPrinterTest.cpp
StructuralEquivalenceTest.cpp		StructuralEquivalenceTest.cpp
TypePrinterTest.cpp		TypePrinterTest.cpp
)		)

Show All 16 Lines

clang/unittests/AST/RandstructTest.cpp

This file was added.

				//===- unittest/AST/RandstructTest.cpp ------------------------------------===//
				//
				// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
				// See https://llvm.org/LICENSE.txt for license information.
				// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
				//
				//===----------------------------------------------------------------------===//
				//
				// This file contains tests for Clang's structure field layout randomization.
				//
				//===----------------------------------------------------------------------===//

				/*
				* Build this test suite by running `make ASTTests` in the build folder.
				*
				* Run this test suite by running the following in the build folder:
				* ` ./tools/clang/unittests/AST/ASTTests
				* --gtest_filter=StructureLayoutRandomization*`
				*/

				#include "clang/AST/Randstruct.h"
				#include "gtest/gtest.h"

				#include "DeclMatcher.h"
				#include "clang/AST/RecordLayout.h"
				#include "clang/ASTMatchers/ASTMatchers.h"
				#include "clang/Frontend/ASTUnit.h"
				#include "clang/Testing/CommandLineArgs.h"
				#include "clang/Tooling/Tooling.h"

				#include <vector>

				using namespace clang;
				using namespace clang::ast_matchers;
				using namespace clang::randstruct;

				using field_names = std::vector<std::string>;

				namespace {

				std::unique_ptr<ASTUnit> makeAST(const std::string &SourceCode) {
				std::vector<std::string> Args = getCommandLineArgsForTesting(Lang_C99);
				MaskRayUnsubmitted Not Done Reply Inline Actions Use static. See https://llvm.org/docs/CodingStandards.html#anonymous-namespaces MaskRay: Use static. See https://llvm.org/docs/CodingStandards.html#anonymous-namespaces
				voidAuthorUnsubmitted Done Reply Inline Actions Nah. void: Nah.
				aaron.ballmanUnsubmitted Not Done Reply Inline Actions FWIW, I agree with this feedback -- please follow the coding standards unless there's strong incentive not to (which I don't think there is here). Sorry for not catching this before during review. aaron.ballman: FWIW, I agree with this feedback -- please follow the coding standards unless there's strong…
				Args.push_back("-frandomize-layout-seed=1234567890abcdef");

				IgnoringDiagConsumer IgnoringConsumer = IgnoringDiagConsumer();

				return tooling::buildASTFromCodeWithArgs(
				SourceCode, Args, "input.c", "clang-tool",
				std::make_shared<PCHContainerOperations>(),
				tooling::getClangStripDependencyFileAdjuster(),
				tooling::FileContentMappings(), &IgnoringConsumer);
				}

				RecordDecl *getRecordDeclFromAST(const ASTContext &C, const std::string &Name) {
				RecordDecl *RD = FirstDeclMatcher<RecordDecl>().match(
				C.getTranslationUnitDecl(), recordDecl(hasName(Name)));
				return RD;
				}

				std::vector<std::string> getFieldNamesFromRecord(const RecordDecl *RD) {
				std::vector<std::string> Fields;

				Fields.reserve(8);
				MaskRayUnsubmitted Not Done Reply Inline Actions Use static. See https://llvm.org/docs/CodingStandards.html#anonymous-namespaces MaskRay: Use static. See https://llvm.org/docs/CodingStandards.html#anonymous-namespaces
				for (auto *Field : RD->fields())
				Fields.push_back(Field->getNameAsString());

				return Fields;
				}

				bool isSubsequence(const field_names &Seq, const field_names &Subseq) {
				unsigned SeqLen = Seq.size();
				unsigned SubLen = Subseq.size();

				bool IsSubseq = false;
				for (unsigned I = 0; I < SeqLen; ++I)
				if (Seq[I] == Subseq[0]) {
				IsSubseq = true;
				for (unsigned J = 0; J + I < SeqLen && J < SubLen; ++J) {
				if (Seq[J + I] != Subseq[J]) {
				IsSubseq = false;
				break;
				}
				}
				}

				return IsSubseq;
				}

				} // end anonymous namespace

				namespace clang {
				namespace ast_matchers {

				#define RANDSTRUCT_TEST_SUITE_TEST StructureLayoutRandomizationTestSuiteTest

				TEST(RANDSTRUCT_TEST_SUITE_TEST, CanDetermineIfSubsequenceExists) {
				const field_names Seq = {"a", "b", "c", "d"};

				EXPECT_TRUE(isSubsequence(Seq, {"b", "c"}));
				EXPECT_TRUE(isSubsequence(Seq, {"a", "b", "c", "d"}));
				EXPECT_TRUE(isSubsequence(Seq, {"b", "c", "d"}));
				EXPECT_TRUE(isSubsequence(Seq, {"a"}));
				EXPECT_FALSE(isSubsequence(Seq, {"a", "d"}));
				}

				#define RANDSTRUCT_TEST StructureLayoutRandomization

				TEST(RANDSTRUCT_TEST, UnmarkedStruct) {
				const std::unique_ptr<ASTUnit> AST = makeAST(R"c(
				struct test {
				int bacon;
				long lettuce;
				long long tomato;
				float mayonnaise;
				};
				)c");

				EXPECT_FALSE(AST->getDiagnostics().hasErrorOccurred());

				const RecordDecl *RD = getRecordDeclFromAST(AST->getASTContext(), "test");

				EXPECT_FALSE(RD->hasAttr<RandomizeLayoutAttr>());
				EXPECT_FALSE(RD->isRandomized());
				}

				TEST(RANDSTRUCT_TEST, MarkedNoRandomize) {
				const std::unique_ptr<ASTUnit> AST = makeAST(R"c(
				struct test {
				int bacon;
				long lettuce;
				long long tomato;
				float mayonnaise;
				} __attribute__((no_randomize_layout));
				)c");

				EXPECT_FALSE(AST->getDiagnostics().hasErrorOccurred());

				const RecordDecl *RD = getRecordDeclFromAST(AST->getASTContext(), "test");

				EXPECT_TRUE(RD->hasAttr<NoRandomizeLayoutAttr>());
				EXPECT_FALSE(RD->isRandomized());
				}

				TEST(RANDSTRUCT_TEST, MarkedRandomize) {
				const std::unique_ptr<ASTUnit> AST = makeAST(R"c(
				struct test {
				int bacon;
				long lettuce;
				long long tomato;
				float mayonnaise;
				} __attribute__((randomize_layout));
				)c");

				EXPECT_FALSE(AST->getDiagnostics().hasErrorOccurred());

				const RecordDecl *RD = getRecordDeclFromAST(AST->getASTContext(), "test");

				EXPECT_TRUE(RD->hasAttr<RandomizeLayoutAttr>());
				EXPECT_TRUE(RD->isRandomized());
				aaron.ballmanUnsubmitted Not Done Reply Inline Actions Any idea what's gone wrong here? (Do we have a bug to file because these come out reversed? If so, can you add a FIXME comment here that we expect this test to change someday?) aaron.ballman: Any idea what's gone wrong here? (Do we have a bug to file because these come out reversed? If…
				voidAuthorUnsubmitted Done Reply Inline Actions I think it's just a case where Windows' algorithm for `std::mt19937` is subtly different than the one for Linux. I'm not sure we should worry about it too much, to be honest. As long as it produces a deterministic output on the same platform we should be fine. I think it's expected that the same compiler/environment is used during all compilation steps. (I.e., one's not going to compile a module on Windows for a kernel build on Linux.) void: I think it's just a case where Windows' algorithm for `std::mt19937` is subtly different than…
				aaron.ballmanUnsubmitted Done Reply Inline Actions Okay, that's a great reason for this to be left alone. aaron.ballman: Okay, that's a great reason for this to be left alone.
				jyknightUnsubmitted Not Done Reply Inline Actions I do think that as an ideal, a compile run on one host platform ought to produce the exact same output as a compile run on another (presuming a triple and sysroot are provided, and mumblemumble file-paths). But I have no idea how close or far we currently are from such an ideal. jyknight: I do think that as an //ideal//, a compile run on one host platform ought to produce the exact…
				voidAuthorUnsubmitted Done Reply Inline Actions I completely agree. Alternatively, we could use some other RNG-type algorithm that will be the same across platforms. void: I completely agree. Alternatively, we could use some other RNG-type algorithm that will be the…
				}

				TEST(RANDSTRUCT_TEST, MismatchedAttrsDeclVsDef) {
				const std::unique_ptr<ASTUnit> AST = makeAST(R"c(
				struct test __attribute__((randomize_layout));
				struct test {
				int bacon;
				long lettuce;
				long long tomato;
				float mayonnaise;
				} __attribute__((no_randomize_layout));
				)c");

				EXPECT_FALSE(AST->getDiagnostics().hasErrorOccurred());

				DiagnosticsEngine &Diags = AST->getDiagnostics();

				EXPECT_FALSE(Diags.hasFatalErrorOccurred());
				EXPECT_FALSE(Diags.hasUncompilableErrorOccurred());
				EXPECT_FALSE(Diags.hasUnrecoverableErrorOccurred());
				EXPECT_EQ(Diags.getNumWarnings(), 1u);
				EXPECT_EQ(Diags.getNumErrors(), 0u);
				}

				TEST(RANDSTRUCT_TEST, MismatchedAttrsRandomizeVsNoRandomize) {
				const std::unique_ptr<ASTUnit> AST = makeAST(R"c(
				struct test2 {
				int bacon;
				long lettuce;
				long long tomato;
				float mayonnaise;
				} __attribute__((randomize_layout)) __attribute__((no_randomize_layout));
				)c");

				EXPECT_TRUE(AST->getDiagnostics().hasErrorOccurred());

				DiagnosticsEngine &Diags = AST->getDiagnostics();

				EXPECT_TRUE(Diags.hasUncompilableErrorOccurred());
				EXPECT_TRUE(Diags.hasUnrecoverableErrorOccurred());
				EXPECT_EQ(Diags.getNumWarnings(), 0u);
				EXPECT_EQ(Diags.getNumErrors(), 1u);
				}

				TEST(RANDSTRUCT_TEST, MismatchedAttrsNoRandomizeVsRandomize) {
				const std::unique_ptr<ASTUnit> AST = makeAST(R"c(
				struct test3 {
				int bacon;
				long lettuce;
				long long tomato;
				float mayonnaise;
				} __attribute__((no_randomize_layout)) __attribute__((randomize_layout));
				)c");

				EXPECT_TRUE(AST->getDiagnostics().hasErrorOccurred());
				aaron.ballmanUnsubmitted Not Done Reply Inline Actions Is the assertion unrelated to the changes in your patch and you just happen to hit it with this test? (I get worried when tests trigger assertions.) aaron.ballman: Is the assertion unrelated to the changes in your patch and you just happen to hit it with this…
				voidAuthorUnsubmitted Done Reply Inline Actions To be honest, I haven't looked at these tests. I inherited them from the previous code base. I'll revisit these and probably delete them if they're not useful. void: To be honest, I haven't looked at these tests. I inherited them from the previous code base.
				aaron.ballmanUnsubmitted Done Reply Inline Actions Okay, that sounds good to me. aaron.ballman: Okay, that sounds good to me.

				DiagnosticsEngine &Diags = AST->getDiagnostics();

				EXPECT_TRUE(Diags.hasUncompilableErrorOccurred());
				EXPECT_TRUE(Diags.hasUnrecoverableErrorOccurred());
				EXPECT_EQ(Diags.getNumWarnings(), 0u);
				EXPECT_EQ(Diags.getNumErrors(), 1u);
				}

				TEST(RANDSTRUCT_TEST, CheckAdjacentBitfieldsRemainAdjacentAfterRandomization) {
				const std::unique_ptr<ASTUnit> AST = makeAST(R"c(
				struct test {
				int a;
				int b;
				int x : 1;
				int y : 1;
				int z : 1;
				int c;
				} __attribute__((randomize_layout));
				)c");

				EXPECT_FALSE(AST->getDiagnostics().hasErrorOccurred());

				const RecordDecl *RD = getRecordDeclFromAST(AST->getASTContext(), "test");
				const field_names Actual = getFieldNamesFromRecord(RD);
				const field_names Subseq = {"x", "y", "z"};

				EXPECT_TRUE(RD->isRandomized());
				EXPECT_TRUE(isSubsequence(Actual, Subseq));
				}

				TEST(RANDSTRUCT_TEST, CheckVariableLengthArrayMemberRemainsAtEndOfStructure) {
				const std::unique_ptr<ASTUnit> AST = makeAST(R"c(
				struct test {
				int a;
				double b;
				short c;
				char name[];
				} __attribute__((randomize_layout));
				)c");

				EXPECT_FALSE(AST->getDiagnostics().hasErrorOccurred());

				const RecordDecl *RD = getRecordDeclFromAST(AST->getASTContext(), "test");

				EXPECT_TRUE(RD->isRandomized());
				}

				TEST(RANDSTRUCT_TEST, RandstructDoesNotOverrideThePackedAttr) {
				const std::unique_ptr<ASTUnit> AST = makeAST(R"c(
				struct test_struct {
				char a;
				float b[3];
				short c;
				int d;
				} __attribute__((packed, randomize_layout));

				struct another_struct {
				char a;
				char b[5];
				int c;
				} __attribute__((packed, randomize_layout));

				struct last_struct {
				char a;
				long long b;
				int c[];
				} __attribute__((packed, randomize_layout));
				)c");

				EXPECT_FALSE(AST->getDiagnostics().hasErrorOccurred());

				// FIXME (?): calling getASTRecordLayout is probably a necessary evil so that
				// Clang's RecordBuilders can actually flesh out the information like
				// alignment, etc.
				{
				const RecordDecl *RD =
				getRecordDeclFromAST(AST->getASTContext(), "test_struct");
				const ASTRecordLayout *Layout =
				&AST->getASTContext().getASTRecordLayout(RD);

				EXPECT_TRUE(RD->isRandomized());
				EXPECT_EQ(19, Layout->getSize().getQuantity());
				}

				{
				const RecordDecl *RD =
				getRecordDeclFromAST(AST->getASTContext(), "another_struct");
				const ASTRecordLayout *Layout =
				&AST->getASTContext().getASTRecordLayout(RD);

				EXPECT_TRUE(RD->isRandomized());
				EXPECT_EQ(10, Layout->getSize().getQuantity());
				}

				{
				const RecordDecl *RD =
				getRecordDeclFromAST(AST->getASTContext(), "last_struct");
				const ASTRecordLayout *Layout =
				&AST->getASTContext().getASTRecordLayout(RD);

				EXPECT_TRUE(RD->isRandomized());
				EXPECT_EQ(9, Layout->getSize().getQuantity());
				}
				}

				TEST(RANDSTRUCT_TEST, ZeroWidthBitfieldsSeparateAllocationUnits) {
				const std::unique_ptr<ASTUnit> AST = makeAST(R"c(
				struct test {
				int a : 1;
				int : 0;
				int b : 1;
				} __attribute__((randomize_layout));
				)c");

				EXPECT_FALSE(AST->getDiagnostics().hasErrorOccurred());

				const RecordDecl *RD = getRecordDeclFromAST(AST->getASTContext(), "test");

				EXPECT_TRUE(RD->isRandomized());
				}

				TEST(RANDSTRUCT_TEST, RandstructDoesNotRandomizeUnionFieldOrder) {
				const std::unique_ptr<ASTUnit> AST = makeAST(R"c(
				union test_union {
				int a;
				int b;
				int c;
				int d;
				int e;
				int f;
				} __attribute__((randomize_layout));
				)c");

				EXPECT_FALSE(AST->getDiagnostics().hasErrorOccurred());

				const RecordDecl *RD =
				getRecordDeclFromAST(AST->getASTContext(), "test_union");

				EXPECT_FALSE(RD->isRandomized());
				}

				TEST(RANDSTRUCT_TEST, AnonymousStructsAndUnionsRetainFieldOrder) {
				const std::unique_ptr<ASTUnit> AST = makeAST(R"c(
				struct test_struct {
				int a;
				struct sub_struct {
				int b;
				int c;
				int d;
				int e;
				int f;
				} __attribute__((randomize_layout)) s;
				int f;
				struct {
				int g;
				int h;
				int i;
				int j;
				int k;
				};
				int l;
				union {
				int m;
				int n;
				int o;
				int p;
				int q;
				};
				int r;
				} __attribute__((randomize_layout));
				)c");

				EXPECT_FALSE(AST->getDiagnostics().hasErrorOccurred());

				const RecordDecl *RD =
				getRecordDeclFromAST(AST->getASTContext(), "test_struct");

				EXPECT_TRUE(RD->isRandomized());

				bool AnonStructTested = false;
				bool AnonUnionTested = false;

				for (const Decl *D : RD->decls())
				if (const FieldDecl *FD = dyn_cast<FieldDecl>(D)) {
				if (const auto *Record = FD->getType()->getAs<RecordType>()) {
				RD = Record->getDecl();
				if (RD->isAnonymousStructOrUnion()) {
				// These field orders shouldn't change.
				if (RD->isUnion()) {
				const field_names Expected = {"m", "n", "o", "p", "q"};

				EXPECT_EQ(Expected, getFieldNamesFromRecord(RD));
				AnonUnionTested = true;
				} else {
				const field_names Expected = {"g", "h", "i", "j", "k"};

				EXPECT_EQ(Expected, getFieldNamesFromRecord(RD));
				AnonStructTested = true;
				}
				}
				}
				}

				EXPECT_TRUE(AnonStructTested);
				EXPECT_TRUE(AnonUnionTested);
				}

				} // namespace ast_matchers
				} // namespace clang

This is an archive of the discontinued LLVM Phabricator instance.

[randstruct] Add randomize structure layout supportClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 421754

clang/docs/ReleaseNotes.rst

clang/include/clang/AST/Decl.h

clang/include/clang/AST/DeclBase.h

clang/include/clang/AST/Randstruct.h

clang/include/clang/Basic/Attr.td

clang/include/clang/Basic/AttrDocs.td

clang/include/clang/Basic/DiagnosticDriverKinds.td

clang/include/clang/Basic/DiagnosticSemaKinds.td

clang/include/clang/Basic/LangOptions.h

clang/include/clang/Driver/Options.td

clang/lib/AST/CMakeLists.txt

clang/lib/AST/Decl.cpp

clang/lib/AST/Randstruct.cpp

clang/lib/Driver/ToolChains/Clang.cpp

clang/lib/Frontend/CompilerInvocation.cpp

clang/lib/Sema/SemaCast.cpp

clang/lib/Sema/SemaDecl.cpp

clang/lib/Sema/SemaDeclAttr.cpp

clang/test/Misc/pragma-attribute-supported-attributes-list.test

clang/unittests/AST/CMakeLists.txt

clang/unittests/AST/RandstructTest.cpp

[randstruct] Add randomize structure layout support
ClosedPublic